The Microsoft Configuration Manager (MCM) or System Center Configuration Manager (SCCM) is a powerful technology that system administrators have used to manage computers on Windows networks for almost 30 years. However, SCCM misconfigurations are rampant inside network environments and researchers have shown over the years how its features and capabilities can be abused by attackers for lateral movement and privilege escalation.
A team of researchers from penetration testing firm SpecterOps has now compiled a knowledge base that brings together all the SCCM attack techniques documented over the past 12 years, including those discovered in their own red teaming and pen-testing engagements. The knowledge base, dubbed Misconfiguration Manager also includes defensive strategies and hardening guidance.
“As with most 30-year-old technologies, Configuration Manager was not designed with modern security considerations,” the SpecterOps researchers said in a blog post announcing the new resource. “Many of its default configurations enable various components of its attack surface. Couple that with the inherent challenges of Active Directory environments and you have a massive attack surface suffering from a combined 55 years of technical debt.”
The researchers claim they’ve encountered Configuration Manager deployments in almost every Active Directory environment they’ve investigated, a testament to the utility and popularity of the platform which allows admins to deploy applications, software updates, operating systems and compliance settings on a wide scale to servers and workstations.
Common misconfigurations in MCM
One of the most common insecure configurations for Configuration Manager encountered by SpecterOps are overprivileged network access accounts, which is one of the many accounts that SCCM uses for its various tasks.
“We (very) commonly find the network access account to be configured as the client push installation account (local admin on all clients), SCCM Administrator, or even domain administrator,” the researchers said.
This means that should an attacker gain access to this account, they now have local admin on all computers managed via SCCM and can then use that access to dump credentials and find other accounts.
In one instance, penetration testers gained access to a regular user’s SharePoint, who in turn had read access to the PXE boot media used by Configuration Manager. This is used for booting a computer from a location over the network in order to remotely deploy an operating system.
The PXE boot media was not password protected and included a certificate that could be used to request the network access account. That in turn account allowed the testers to extract domain administrator accounts for two separate domains.
Moreover, when operating systems are deployed via PXE by Configuration Manager, a task executes that automatically joins that computer to a domain. This is done by a so-called “task sequence domain join account” which creates the corresponding computer object in Active Directory and automatically becomes its owner. The issue is that the credentials for this account are accessible by any PXE client.
“Therefore, if OSD [operating system deployment] is used to join many computers (workstations or servers) to the domain, the domain join account will have ownership over all of them,” the researchers said. “If a server is promoted to domain controller, or granted other Tier Zero roles, the domain join account serves as a direct path to those assets.”
Another common misuse is enrolling domain controllers as clients in Configuration Manager so they can be remotely managed. This might sound intuitive, but it’s a big security risk because if the Configuration Manager site (central server) is compromised, attackers gain remote code execution on the domain controllers via applications, scripts and package deployments.
The researchers describe such an incident:
“While triaging task sequence logs, we found an interesting script in a readable network location. We downloaded the script, which contained credentials for an MSSQL database. We authenticated to the MSSQL database and discovered a SQL link to another instance. Rinse and repeat two more times. After crawling three SQL links, we landed in the Configuration Manager CAS site database.”
“Then, we cracked the DBA credentials to log into the database directly. We got code execution on the server via xp_cmdshell. Also, we granted ourselves the ‘Full Administrator’ role in the RBAC_Admins table. Finally, we hosted a payload on a network share and used Configuration Manager to execute the payload on a domain controller client.”
Accessing the Misconfiguration Manager knowledge base
The knowledge base developed by SpectreOps adversary simulation specialists Duane Michael, Chris Thompson and Garrett Foster, is available on GitHub and is open source. It draws inspiration from the MITRE ATT&CK framework and from Push Security’s SaaS attack techniques matrix in how it orders the tactics.
For example, it breaks techniques down into several categories: CRED, five techniques that can be used for various types of credential extraction; ELEVATE, two techniques that can be used for privilege escalation and lateral movement; EXEC, two techniques for remote code execution; RECON, five techniques for identifying SCCM systems; and TAKEOVER, eight techniques that can be used to take over an SCCM hierarchy which will usually result in a full domain control.
Each technique is described in detail in its own article, including relevant MITRE ATT&CK TTPs, requirements needed to execute it, variations of the technique (sub-techniques) as well as examples. The articles also cross-reference separate articles on the defensive tactics that apply to the attack technique. External references such as links to blog posts and whitepapers are also included.
PREVENT, DETECT, and CANARY categories
The defensive knowledge is similarly organized into categories called PREVENT, DETECT and CANARY. PREVENT articles typically cover configuration changes to SCCM that can directly mitigate a specific attack technique. DETECT IDs contain detection strategies for various techniques and CANARY are deceptive strategies to set traps for attackers that would alert defenders about their presence in the environment and attempts to abuse SCCM features.
“Our goal is to help demystify SCCM tradecraft and simplify SCCM attack path management for defenders while also educating offensive security professionals on this nebulous attack surface,” the authors wrote in the repository description.
“Designed to go beyond the static nature of whitepapers, this living repository documents known SCCM misconfigurations and their abuses and encourages ongoing contributions from the community to enhance its relevance and utility.”