Offensive SCCM: Abusing Microsoft's C2 Framework

Presented at DEF CON 32 (2024), Aug. 8, 2024, 9 a.m. (240 minutes).

Microsoft Configuration Manager, formerly SCCM (System Center Configuration Manager), is a powerful technology that has been used to deploy software to Windows systems in the majority of enterprise environments since it was released by Microsoft in 1994. Although SCCM has a high potential for abuse due to its privileged access to entire fleets of servers and workstations, it has not been heavily researched or leveraged by security professionals until recently, presumably due to the time-consuming installation process and learning curve. In this workshop, students will be provided access to a live environment that reflects an enterprise SCCM deployment, gain an understanding of how the different components of SCCM interact, and learn how to execute recently discovered attack primitives that can be used compromise SCCM clients, servers, and entire hierarchies. By completing both guided exercises and optional CTF challenges in this lab environment, students will learn how to demonstrate the impact of attack paths involving SCCM. By the end of this workshop, participants will be able to: - understand the foundational concepts needed to attack and defend SCCM - understand SCCM defaults and configurations that can be abused - use SCCM to complete a realistic attack chain, including recon, privilege escalation, credential gathering, site takeover, and lateral movement - understand how to use offensive security tools to interact with SCCM, such as SCCMHunter, SharpSCCM, sccmwtf, PXEThief, and ntlmrelayx To get the most out of this training, participants will benefit from reviewing the following resources, although they are not required: - Misconfiguration Manager (misconfigurationmanager.com) - System Center Configuration Manager Current Branch Unleashed, by Kerrie Meyler - Configuration Manager Terminology - Looking Inside Configuration Manager - Network Design - Client Management This workshop is the second version of Flipping the Coin and features upgraded attack paths, and lab environments. By the end of the workshop, attendees will: 1. Understand and perform common offensive attacks (supported by the Metasploit Framework) against Windows Domains, including: - Pass the Hash attacks; - gMSA Golden Attack; - ADCS abuse; - Common tunnelling techniques; - PrintSpoofer exploits; - LSASS exploitation (using Mimikatz); - AD enumeration (using BloodHound); - DACL abuse; - Kerberos golden tickets; and - DLL hijacking. 2. Understand the process of detecting attacks against Windows infrastructure, including how to design and implement their own detection rules based on attendees’ previous attacks, using: - Sigma/Yara rules. - Log ingestion/normalisation platforms, and query engines (e.g. ELK). 3. Understand and appreciate how the actions and processes of red and blue teams are interlinked, for the greater collective good. Recommended (but not required) prior reading: - https://nooblinux.com/metasploit-tutorial/ - https://posts.specterops.io/introducing-bloodhound-enterprise-attack-path-management-for-everyone-39cfd8d6eb7c - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview - https://socprime.com/blog/sigma-rules-the-beginners-guide/ - https://github.com/socprime/SigmaUI - https://blog.netwrix.com/2021/11/30/how-to-detect-pass-the-hash-attacks/ - https://posts.specterops.io/certified-pre-owned-d95910965cd2 - https://www.elastic.co/guide/en/security/current/suspicious-print-spooler-point-and-print-dll.html Much of the material and core concepts of the workshop remain the same from the DEF CON 31 workshop with some updated topics for DEF CON 32, including an updated environment, and gMSA attacks within the lab. Since 2022, Chris, Duane, and Garrett have released a combined 8 blog posts and authored 3 tools (SharpSCCM, SCCMHunter, and Misconfiguration Manager) that demonstrate novel offensive techniques to abuse SCCM functionality.

Presenters:

• Chris Thompson / @retBandit - Principal Consultant at SpecterOps   as Chris Thompson
  Chris Thompson (@_Mayyhem) is a Principal Consultant at SpecterOps, where he conducts red team operations, research, tool development, and training. Chris has instructed at Black Hat USA/EU and spoken at Arsenal, DEF CON Demo Labs, SO-CON, and Troopers. He is the primary author of Maestro and SharpSCCM and co-author of Misconfiguration Manager, an open-source tool and knowledge base that can be used to help demonstrate, mitigate, and detect attacks that abuse Microsoft Configuration Manager (formerly SCCM).
• Duane Michael - Managing Consultant at SpecterOps
  Duane Michael (@subat0mik) is a Managing Consultant at SpecterOps, where he conducts red team operations, penetration tests, research, course development, and training. Duane has instructed courses on red teaming and vulnerability research at BH USA/EU, NorthSec, and SO-CON. He has presented at Arsenal and DEF CON Demo Labs, contributes to various open source projects, and is a co-author of Misconfiguration Manager.
• Garrett Foster - Senior Consultant at SpecterOps
  Garrett Foster (@garrfoster) is a Senior Consultant at SpecterOps, where he conducts red team operations, penetration testing, research, training, and course development. Garrett has presented at WWHF and BsidesPDX. Garrett is a the primary author of SCCMHunter and a co-author of Misconfiguration Manager.

Similar Presentations:

• DEF CON 30 (2022) / SharpSCCM Demo
• DEF CON 31 (2023) / Flipping the Coin: Red and Blue Teaming in Windows Environments Workshop
• DEF CON 32 (2024) / Flipping the Coin: Red and Blue Teaming in Windows Environments (++) Workshop