-
Notifications
You must be signed in to change notification settings - Fork 86
Home
SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for credential gathering and lateral movement without requiring access to the SCCM administration console GUI.
- User location and lateral movement functions ported from PowerSCCM
- Requesting NTLM authentication from SCCM clients for lateral movement
- Credential gathering (Network Access Accounts) by Duane Michael @subat0mik
- Requesting and Unobfuscating NAAs by Adam Chester @_xpn_
- Functionality to abuse newly discovered attack primitives for coercing NTLM authentication from SCCM servers in sites where automatic site-wide client push installation is enabled, which can allow takeover of SCCM.
This tool can be used to demonstrate the impact of configuring SCCM without the recommended security settings.
SharpSCCM works from any Windows machine running the SCCM client software and leverages Windows Management Instrumentation (WMI) and the ConfigMgr Client Messaging SDK to communicate with SCCM management points.
- Install hotfix KB15599094 and disable NTLM for client push installation (prevents coercion via client push)
- Use Enhanced HTTP and disable network access accounts
- Disable automatic site-wide client push installation, use software update-based installation instead
- Set a strong PXE boot password (prevents cracking to obtain OSD creds)
- Disable "F8-Debugging" (uncheck the "Enable command support" option) in production PXE boot networks
- Require PKI certificates for client authentication (prevents rogue device registration)
- Enable multi-factor authentication for SMS Provider calls
- Don't use over-privileged credentials (e.g., Domain Admins) for NAA/client push/domain join/task sequences/collection variables
- Don't enable WebClient on site systems (prevents coercion via HTTP)
- Don't manage tier zero assets (e.g., domain controllers) with ConfigMgr or treat ConfigMgr as tier zero
- Access the ConfigMgr console using accounts in the same tier as the devices in the site
- Require SMB signing on all site systems (prevents relay to SMB)
- Require LDAP signing or channel binding on domain controllers (prevents relay to LDAP)
- Require Extended Protection for Authentication (EPA) on AD CS servers (prevents relay to HTTP)
- Disable network access accounts in AD after ConfigMgr transition to Enhanced HTTP
- Disable SeMachineAccountPrivilege/MachineAccountQuota for non-admin users to prevent them from adding computers to the domain
- Remove Extended Rights assignment from users who do not require this permission (prevents GetLAPSPassword for created accounts)
- Move from legacy LAPS to Windows LAPS in Azure with password encryption enabled
- Require Extended Protection for Authentication (EPA) on the site database (prevents relay to MSSQL)
- Don't link other databases to your site database, especially with DBA privileges
- Set strong passwords for DBA accounts that are unique to each site database
- Block all unnecessary connections to site systems, especially SMB and MSSQL (reduces coercion via SMB and relay to SMB/MSSQL)
- Only support PXE boot on VLANs restricted to authorized administrators
- Monitor for suspicious activity on site systems and using site accounts
- Site system computer accounts authenticating from an IP address that isn't their static IP
- Client push installation accounts authenticating from anywhere other than the primary site server
- Canary network access accounts and client push installation accounts authenticating anywhere
- Legitimate network access accounts authenticating to anywhere other than a distribution point
- Unusual application deployments in the site's Audit Status Messages
More ideas for detection opportunities can be found in the Detection Guidance section of this post: https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a. Please reach out or submit an update if you have any other practical detection ideas that have minimal impact on user experience, performance, additional overhead, etc.
Microsoft's Windows and Office 365 deployment lab kit can deploy a fully operational SCCM lab in Hyper-V in less than an hour. You only need the following systems to begin testing SharpSCCM functionality:
- CM1: Configuration Manager Primary Site Server, Management Point, and Site Database Server
- GW1: Configuration Manager Client
- DC1: Domain Controller
You could also consider deploying a lab in Azure using a template or AutomatedLab.
For debugging, I share a directory in GW1 that is accessible from my host running Visual Studio, execute the Visual Studio Remote Debugger on GW1, configure a post-build job to copy the solution files to the share on GW1, and configure Visual Studio to remote debug on GW1.
Research is ongoing to add SharpSCCM features to:
- execute SharpSCCM actions in environments that require PKI certificates
- escalate privileges from local administrator on site servers to SCCM Full Administrator
The time I'm able to spend researching, developing, and improving SharpSCCM would not be possible without SpecterOps's sponsorship of the project as part of their commitment to transparency and support for open-source development. I'm immensely grateful for their guidance and support.
The following people have contributed to this project:
- Duane Michael (@subat0mik)
- Evan McBroom (@EvanMcBroom)
- Diego Lomellini (@DiLomSec1)
- Carsten Sandker (@0xcsandker)
Some features were built based on the work of the following people:
- Matt Nelson (@enigma0x3)
- Will Schroeder (@harmj0y)
- Benjamin Delpy (@gentilkiwi)
- Adam Chester (@xpn)
- guervild
Special thanks to others who submitted PRs/fixes:
- John Lambert (@JohnLaTwC)
If you're interested in collaborating, please hit me up on Twitter (@_Mayyhem) or the BloodHoundGang Slack!