Home

Introduction

SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for credential gathering and lateral movement without requiring access to the SCCM administration console GUI.

Features

• User location and lateral movement functions ported from PowerSCCM
• Requesting NTLM authentication from SCCM clients for lateral movement
• Credential gathering (Network Access Accounts) by Duane Michael @subat0mik
• Requesting and Unobfuscating NAAs by Adam Chester @_xpn_
• Functionality to abuse newly discovered attack primitives for coercing NTLM authentication from SCCM servers in sites where automatic site-wide client push installation is enabled, which can allow takeover of SCCM
• CMPivot query execution via the AdminService API

This tool can be used to demonstrate the impact of configuring SCCM without the recommended security settings.

SharpSCCM works from any Windows machine running the SCCM client software and leverages Windows Management Instrumentation (WMI) and the ConfigMgr Client Messaging SDK to communicate with SCCM management points.

Defensive Recommendations

ConfigMgr

• Install hotfix KB15599094 and disable NTLM for client push installation (prevents coercion via client push)
• Use Enhanced HTTP and disable network access accounts
• Disable automatic site-wide client push installation, use software update-based installation instead
• Set a strong PXE boot password (prevents cracking to obtain OSD creds)
• Disable "F8-Debugging" (uncheck the "Enable command support" option) in production PXE boot networks
• Require PKI certificates for client authentication (prevents rogue device registration)
• Enable multi-factor authentication for SMS Provider calls
• Don't use over-privileged credentials (e.g., Domain Admins) for NAA/client push/domain join/task sequences/collection variables
• Don't enable WebClient on site systems (prevents coercion via HTTP)
• Don't manage tier zero assets (e.g., domain controllers) with ConfigMgr or treat ConfigMgr as tier zero
• Access the ConfigMgr console using accounts in the same tier as the devices in the site

Domain/Server

• Require SMB signing on all site systems (prevents relay to SMB)
• Require LDAP signing or channel binding on domain controllers (prevents relay to LDAP)
• Require Extended Protection for Authentication (EPA) on AD CS servers (prevents relay to HTTP)
• Disable network access accounts in AD after ConfigMgr transition to Enhanced HTTP
• Disable SeMachineAccountPrivilege/MachineAccountQuota for non-admin users to prevent them from adding computers to the domain
• Remove Extended Rights assignment from users who do not require this permission (prevents GetLAPSPassword for created accounts)
• Move from legacy LAPS to Windows LAPS in Azure with password encryption enabled

Database

• Require Extended Protection for Authentication (EPA) on the site database (prevents relay to MSSQL)
• Don't link other databases to your site database, especially with DBA privileges
• Set strong passwords for DBA accounts that are unique to each site database

Firewall/Network

• Block all unnecessary connections to site systems, especially SMB and MSSQL (reduces coercion via SMB and relay to SMB/MSSQL)
• Only support PXE boot on VLANs restricted to authorized administrators

Security

• Monitor for suspicious activity on site systems and using site accounts
  • Site system computer accounts authenticating from an IP address that isn't their static IP
  • Client push installation accounts authenticating from anywhere other than the primary site server
  • Canary network access accounts and client push installation accounts authenticating anywhere
  • Legitimate network access accounts authenticating to anywhere other than a distribution point
  • Unusual application deployments in the site's Audit Status Messages

More ideas for detection opportunities can be found in the Detection Guidance section of this post: https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a. Please reach out or submit an update if you have any other practical detection ideas that have minimal impact on user experience, performance, additional overhead, etc.

Development

Microsoft's Windows and Office 365 deployment lab kit can deploy a fully operational SCCM lab in Hyper-V in less than an hour. You only need the following systems to begin testing SharpSCCM functionality:

• CM1: Configuration Manager Primary Site Server, Management Point, and Site Database Server
• GW1: Configuration Manager Client
• DC1: Domain Controller

You could also consider deploying a lab in Azure using a template or AutomatedLab.

For debugging, I share a directory in GW1 that is accessible from my host running Visual Studio, execute the Visual Studio Remote Debugger on GW1, configure a post-build job to copy the solution files to the share on GW1, and configure Visual Studio to remote debug on GW1.

My Research

• Coercing NTLM Authentication from SCCM
• Relaying NTLM Authentication from SCCM Clients
• SCCM Site Takeover via Automatic Client Push Installation
• SCCM Hierarchy Takeover
• Hierarchy Takeover without SOCKS

Research is ongoing to add SharpSCCM features to:

• execute SharpSCCM actions in environments that require PKI certificates

My Videos/Talks

• Black Hat USA Arsenal 2022: SharpSCCM
• Black Hat USA Arsenal 2023: SharpSCCM - Abusing Microsoft's C2 Framework
• Black Hat USA SpecterOps Booth 2023: SharpSCCM - Abusing Microsoft's C2 Framework

SCCM Resources by Other Awesome People

• Owning One to Rule Them All, by Dave Kennedy (@HackingDave) and Dave DeSimone
• PowerSCCM, by Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Jared Atkinson (@jaredcatkinson), and Matt Graeber (@mattifestation)
• Targeted Workstation Compromise with SCCM, by Matt Nelson (@enigma0x3)
• Offensive Operations with PowerSCCM, by Matt Nelson (@enigma0x3)
• Client Push Installation Abuse, by Matt Nelson (@enigma0x3)
• Mimikatz misc::sccm, by Benjamin Delpy (@gentilkiwi)
• Mimikatz dpapi::sccm, by Benjamin Delpy (@gentilkiwi)
• MalSCCM, by Phil Keeble (@The_Keeb)
• Push Comes to Shove Part 1, by Brandon Colley (@TechBrandon)
• Push Comes to Shove Part 2, by Brandon Colley (@TechBrandon)
• The Phantom Credentials of SCCM: Why the NAA Won't Die, by Duane Michael (@subat0mik)
• SharpDPAPI SCCM Credential Gathering Support, by Duane Michael (@subat0mik)
• PXEThief, by Christopher Panayi
• CMLoot, by Tomas Rzepka (@1njected)
• Looting Microsoft Configuration Manager, by Tomas Rzepka (@1njected)
• Pulling Passwords Out of Configuration Manager, by Christopher Panayi
• SCCM Credential Recovery for Network Access Accounts, by Evan McBroom (@mcbroom_evan)
• sccmwtf, by Adam Chester (@xpn)
• [Exploring SCCM by Unobfuscating Network Access Accounts, by Adam Chester (@xpn)
• An Inside Look: How to Distribute Credentials Securely in SCCM, by Christopher Panayi
• CISA Red Team Report Featuring SCCM, by CISA
• Active Directory Spotlight: Attacking The Microsoft Configuration Manager (SCCM/MECM), by Carsten Sandker (@0xcsandker)
• Get Secrets via PXE Media Certificates SharpSCCM PR, by Carsten Sandker (@0xcsandker)
• pxethiefy, by Carsten Sandker (@0xcsandker)
• sccmhunter, by Garrett Foster (@garrfoster)
• Site Takeover via SCCM’s AdminService API, by Garrett Foster (@garrfoster)
• impacket SCCM Relay, by Matt Creel (@Tw1sm)
• Grow Your Own SCCM Lab, by @HTTP418
• Offensive SCCM Summary, by @HTTP418
• CMPivot SharpSCCM Support, by Diego Lomellini (@DiLomSec1)
• SQLRecon SCCM Module, by Sanjiv Kawa (@sanjivkawa)
• SCCM Exploitation: The First Cred is the Deepest II, by Gabriel Prud'homme (@vendetce)
• Snaplabs SCCM Lab Template, by @an0n_r0
• SCCM Decrypt POC, by Adam Chester (@xpn)
• Red Team Ops SCCM, by Zero Point Security (@zeropointsecltd)
• We Have C2 at Home: Leveraging Microsoft's C2 Framework, by Garrett Foster (@garrfoster)
• Deobfuscator Implementation in Python by @SkelSec
• SCCM/MECM Hacker Recipes, by Charlie Bromberg (@_nwodtuhs)

Supporters

The time I'm able to spend researching, developing, and improving SharpSCCM would not be possible without SpecterOps's sponsorship of the project as part of their commitment to transparency and support for open-source development. I'm immensely grateful for their guidance and support.

Contributions

The following people have contributed to this project:

• Duane Michael (@subat0mik)
• Evan McBroom (@EvanMcBroom)
• Diego Lomellini (@DiLomSec1)
• Carsten Sandker (@0xcsandker)

Some features were built based on the work of the following people:

• Matt Nelson (@enigma0x3)
• Will Schroeder (@harmj0y)
• Benjamin Delpy (@gentilkiwi)
• Adam Chester (@xpn)
• Garrett Foster (@garrfoster)
• guervild

Special thanks to others who submitted PRs/fixes:

• John Lambert (@JohnLaTwC)

If you're interested in collaborating, please hit me up on Twitter (@_Mayyhem) or the BloodHoundGang Slack!