SCCM
Rooting out Risky SCCM Configs with Misconfiguration Manager
tl;dr: I wrote a script to identify every TAKEOVER and ELEVATE attack in Misconfiguration Manager.Ever since Garrett Foster, Duane Michael, and I released Misconfiguration Manager at SO-CON last month, we’ve had tons ...
SCCM Exploitation: Account Compromise Through Automatic Client Push & AD System Discovery
Author: Marshall Price, Senior Security Consultant TL;DR: The following conditions can lead to compromise of the SCCM client push account […] ...
Misconfiguration Manager: Overlooked and Overprivileged
TL;DR: Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance. We’re also presenting this material at SO-CON 2024 on March 11, ...
SCCM Hierarchy Takeover with High Availability
TL;DR: SCCM sites configured to support high availability can be abused to compromise the entire hierarchyI previously wrote about how targeting site systems hosting the SMS Provider role can be used to ...
SCCM Hierarchy Takeover
One Site to Rule Them Alltl;dr:There is no security boundary between sites in the same hierarchy.When an administrative user is granted a security role in SCCM, such as Full Administrator or Infrastructure Administrator, ...
Site Takeover via SCCM’s AdminService API
tl:dr: The SCCM AdminService API is vulnerable to NTLM relaying and can be abused for SCCM site takeover.Prior Work and CreditBefore I get started, I’d like to acknowledge some of the work previously ...
SCCM Site Takeover via Automatic Client Push Installation
tl;dr: Install hotfix KB15599094 and disable NTLM for client push installation.While reading SCCM Current Branch Unleashed and stepping through the site installation process, I found something interesting — the primary site server’s domain computer ...
Relaying NTLM Authentication from SCCM Clients
tl;dr: Seriously, please disable NTLMI recently learned that you can coerce NTLM authentication from SCCM servers using any Windows SCCM client when automatic site-wide client push installation is enabled and NTLM has not ...
The Phantom Credentials of SCCM: Why the NAA Won’t Die
TL;DR — Stop Using Network Access Accounts!If a Windows machine has ever been an SCCM client, there may be credential blobs for the network access account (NAA) on disk.If an Active Directory account has ever ...
Coercing NTLM Authentication from SCCM
tl;dr: Disable NTLM for Client Push InstallationWhen SCCM automatic site assignment and automatic client push installation are enabled, and PKI certificates aren’t required for client authentication, it’s possible to coerce NTLM authentication ...
