/Misconfiguration-Manager

Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance.

GNU General Public License v3.0GPL-3.0

Sponsored by SpecterOps Slack @subat0mik on Twitter @_Mayyhem on Twitter @garrfoster on Twitter


Misconfiguration Manager

mcm_banner

This repository serves as a central knowledge base for all known Microsoft Configuration Manager (a.k.a. MCM, ConfigMgr, System Center Configuration Manager, or SCCM) tradecraft and associated defensive and hardening guidance. Our goal is to help demystify SCCM tradecraft and simplify SCCM attack path management for defenders while also educating offensive security professionals on this nebulous attack surface. Designed to go beyond the static nature of whitepapers, this living repository documents known SCCM misconfigurations and their abuses and encourages ongoing contributions from the community to enhance its relevance and utility.

We've curated this repository to raise awareness of the rapidly evolving SCCM threat landscape, drawing inspiration from the MITRE ATT&CK framework, with a few deviations. We were also strongly influenced by Push Security's SaaS attack techniques matrix as well as Will Schroeder and Lee Chagolla-Christensen's Certified Pre-Owned whitepaper.

Our approach extends beyond cataloging the tactics of known adversaries to include contributions from the realm of penetration testing, red team operations, and security research. At SpecterOps, we've leveraged many misconfigurations highlighted in this repository in real-world environments, while others represent experimental and exploratory research projects proved out in a lab environment.

This project also serves as a central point of reference for all of the SCCM attack and defense resources that we're aware of.

We openly invite you to submit both proven and exploratory SCCM-focused attack techniques and defensive strategies and resources to this project and to provide any feedback and recommendations about the content in this repository.



How to use this project

Start with the SCCM Attack Matrix and SCCM Attack and Defense Matrix below, which map attack techniques to their MITRE ATT&CK framework tactics, as well as to their detection and prevention strategies.

Offensive security practitioners may also benefit from reviewing the list of known and documented Attack Techniques, which identifies the security context and network access that are required for each technique.

Defenders and IT administrators may benefit from reviewing the list of known and documented Defense Techniques, which identifies the administrator roles we think are most likely to be involved in the implementation of each item.

If you aren't familiar with a term used in a technique's description, refer to the glossary page, which contains definitions for terms commonly used in SCCM.

If you'd like to test these techniques in a lab environment or learn more about SCCM attack and defense, please refer to the resources page, which contains links to all the SCCM lab and attack/defense resources that we are aware of, many of which inspired and informed the information in this repository.

If we've overlooked anything or are missing credits for prior work, please reach out to us or submit a pull request and we'd be happy to make updates.



SCCM Attack Matrix

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration
PXE Creds App Deployment App Deployment Relay to Site Server SMB App Deployment PXE Credentials LDAP Enumeration Relay to Site DB (MSSQL) CMPivot CMPivot
Script Deployment Script Deployment Relay Client Push Installation Script Deployment Policy Request Credentials SMB Enumeration Relay to AdminService
Relay to ADCS Relay to Site DB (MSSQL) DPAPI Credentials HTTP Enumeration Relay Between HA
Relay to LDAP Relay to LDAP Legacy Credentials CMPivot App Deployment
Relay to Site DB (SMB) Site Database Credentials Script Deployment
Relay to ADCS Relay to Site Server (SMB)
Relay CAS to Child Relay Client Push Installation
Relay to AdminService Relay CAS to Child
Relay to SMS Provider (SMB) Relay to SMS Provider (SMB)
Relay Between HA SQL Linked as DBA
SQL Linked as DBA

SCCM Attack and Defense Matrix

CRED‑1 CRED‑2 CRED‑3 CRED‑4 CRED‑5 ELEVATE‑1 ELEVATE‑2 EXEC‑1 EXEC‑2 RECON‑1 RECON‑2 RECON‑3 RECON‑4 RECON‑5 TAKEOVER‑1 TAKEOVER‑2 TAKEOVER‑3 TAKEOVER‑4 TAKEOVER‑5 TAKEOVER‑6 TAKEOVER‑7 TAKEOVER‑8 TAKEOVER‑9
CANARY‑1 X X X X X
DETECT‑1 X X X X X X X X X X
DETECT‑2 X
DETECT‑3 X
DETECT‑4 X
DETECT‑5 X X X X
PREVENT‑1 X
PREVENT‑2 X
PREVENT‑3 X X X X
PREVENT‑4 X X X
PREVENT‑5 X
PREVENT‑6 X
PREVENT‑7 X
PREVENT‑8 X X X
PREVENT‑9 X X X X X
PREVENT‑10 X X X X
PREVENT‑11 X X X
PREVENT‑12 X X X X X X
PREVENT‑13 X
PREVENT‑14 X X X
PREVENT‑15 X
PREVENT‑16 X
PREVENT‑17 X X X X X
PREVENT‑18 X
PREVENT‑19 X X
PREVENT‑20 X X X X X X X X X X X X X X X X
PREVENT‑21 X
PREVENT‑22



Taxonomy Overview

At the time of release, TAKEOVER-1 through TAKEOVER-9, in our opinion, are ordered in descending order of likelihood based on system defaults and our experiences testing SCCM hierarchies. Further additions will follow sequential order by release date.

With the exception of TAKEOVER, these techniques are numbered in no particular order. A higher or lower number does not represent our opinion of the item's importance, likelihood, or how it should be prioritized.

Attack Techniques

CRED

Techniques coded with a CRED moniker primarily abuse credential access. CRED techniques are the most common we've seen and often lead to direct hierarchy takeover or domain compromise.

ELEVATE

Techniques coded with an ELEVATE moniker can be used for either local or domain privilege escalation. In some cases, these can be chained with other techniques for a hierarchy takeover primitive.

EXEC

Techniques coded with an EXEC moniker can be used to execute commands, scripts, code, etc. on a remote target through SCCM's builtin functionality.

RECON

Techniques coded with a RECON moniker relate to either performing reconnaissance against SCCM infrastructure or using SCCM to conduct further reconnaissance.

TAKEOVER

Techniques coded with a TAKEOVER moniker describe the various steps necessary to compromise an SCCM hierarchy.



Defense Techniques

CANARY

Defensive strategies coded with a CANARY moniker describe deception strategies that could be used to deceive adversaries in tripping a high-fidelity detection.

DETECT

Defensive strategies coded with a DETECT moniker describe strategies for detecting offensive techniques. In some cases, multiple DETECT strategies may be required for a stronger detection.

PREVENT

Defensive strategies coded with a PREVENT moniker describe configuration changes to mitigate one or more aspects of an offensive technique. In some cases, multiple PREVENT strategies may be needed to fully mitigate an offensive technique.

NOTE: We strongly recommend proper and thorough testing of any changes before configuring them in a production environment. The authors and contributors of this repository are not responsible for any breaking changes. Use as a guide at your own risk.



Contributors

Duane Michael, Chris Thompson, and Garrett Foster are the primary authors of this project, with contributions from Diego Lomellini and Josh Prager.

Please reach out to us on Twitter or join us in the #sccm channel on the BloodHoundGang Slack if you have any questions or are interested in contributing!