This repository serves as a central knowledge base for all known Microsoft Configuration Manager (a.k.a. MCM, ConfigMgr, System Center Configuration Manager, or SCCM) tradecraft and associated defensive and hardening guidance. Our goal is to help demystify SCCM tradecraft and simplify SCCM attack path management for defenders while also educating offensive security professionals on this nebulous attack surface. Designed to go beyond the static nature of whitepapers, this living repository documents known SCCM misconfigurations and their abuses and encourages ongoing contributions from the community to enhance its relevance and utility.
We've curated this repository to raise awareness of the rapidly evolving SCCM threat landscape, drawing inspiration from the MITRE ATT&CK framework, with a few deviations. We were also strongly influenced by Push Security's SaaS attack techniques matrix as well as Will Schroeder and Lee Chagolla-Christensen's Certified Pre-Owned whitepaper.
Our approach extends beyond cataloging the tactics of known adversaries to include contributions from the realm of penetration testing, red team operations, and security research. At SpecterOps, we've leveraged many misconfigurations highlighted in this repository in real-world environments, while others represent experimental and exploratory research projects proved out in a lab environment.
This project also serves as a central point of reference for all of the SCCM attack and defense resources that we're aware of.
We openly invite you to submit both proven and exploratory SCCM-focused attack techniques and defensive strategies and resources to this project and to provide any feedback and recommendations about the content in this repository.
Start with the SCCM Attack Matrix and SCCM Attack and Defense Matrix below, which map attack techniques to their MITRE ATT&CK framework tactics, as well as to their detection and prevention strategies.
Offensive security practitioners may also benefit from reviewing the list of known and documented Attack Techniques, which identifies the security context and network access that are required for each technique.
Defenders and IT administrators may benefit from reviewing the list of known and documented Defense Techniques, which identifies the administrator roles we think are most likely to be involved in the implementation of each item.
If you aren't familiar with a term used in a technique's description, refer to the glossary page, which contains definitions for terms commonly used in SCCM.
If you'd like to test these techniques in a lab environment or learn more about SCCM attack and defense, please refer to the resources page, which contains links to all the SCCM lab and attack/defense resources that we are aware of, many of which inspired and informed the information in this repository.
If we've overlooked anything or are missing credits for prior work, please reach out to us or submit a pull request and we'd be happy to make updates.
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration |
---|---|---|---|---|---|---|---|---|---|---|
PXE Creds | App Deployment | App Deployment | Relay to Site Server SMB | App Deployment | PXE Credentials | LDAP Enumeration | Relay to Site DB (MSSQL) | CMPivot | CMPivot | |
Script Deployment | Script Deployment | Relay Client Push Installation | Script Deployment | Policy Request Credentials | SMB Enumeration | Relay to AdminService | ||||
Relay to ADCS | Relay to Site DB (MSSQL) | DPAPI Credentials | HTTP Enumeration | Relay Between HA | ||||||
Relay to LDAP | Relay to LDAP | Legacy Credentials | CMPivot | App Deployment | ||||||
Relay to Site DB (SMB) | Site Database Credentials | Script Deployment | ||||||||
Relay to ADCS | Relay to Site Server (SMB) | |||||||||
Relay CAS to Child | Relay Client Push Installation | |||||||||
Relay to AdminService | Relay CAS to Child | |||||||||
Relay to SMS Provider (SMB) | Relay to SMS Provider (SMB) | |||||||||
Relay Between HA | SQL Linked as DBA | |||||||||
SQL Linked as DBA | ||||||||||
CRED‑1 | CRED‑2 | CRED‑3 | CRED‑4 | CRED‑5 | ELEVATE‑1 | ELEVATE‑2 | EXEC‑1 | EXEC‑2 | RECON‑1 | RECON‑2 | RECON‑3 | RECON‑4 | RECON‑5 | TAKEOVER‑1 | TAKEOVER‑2 | TAKEOVER‑3 | TAKEOVER‑4 | TAKEOVER‑5 | TAKEOVER‑6 | TAKEOVER‑7 | TAKEOVER‑8 | TAKEOVER‑9 | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CANARY‑1 | X | X | X | X | X | ||||||||||||||||||
DETECT‑1 | X | X | X | X | X | X | X | X | X | X | |||||||||||||
DETECT‑2 | X | ||||||||||||||||||||||
DETECT‑3 | X | ||||||||||||||||||||||
DETECT‑4 | X | ||||||||||||||||||||||
DETECT‑5 | X | X | X | X | |||||||||||||||||||
PREVENT‑1 | X | ||||||||||||||||||||||
PREVENT‑2 | X | ||||||||||||||||||||||
PREVENT‑3 | X | X | X | X | |||||||||||||||||||
PREVENT‑4 | X | X | X | ||||||||||||||||||||
PREVENT‑5 | X | ||||||||||||||||||||||
PREVENT‑6 | X | ||||||||||||||||||||||
PREVENT‑7 | X | ||||||||||||||||||||||
PREVENT‑8 | X | X | X | ||||||||||||||||||||
PREVENT‑9 | X | X | X | X | X | ||||||||||||||||||
PREVENT‑10 | X | X | X | X | |||||||||||||||||||
PREVENT‑11 | X | X | X | ||||||||||||||||||||
PREVENT‑12 | X | X | X | X | X | X | |||||||||||||||||
PREVENT‑13 | X | ||||||||||||||||||||||
PREVENT‑14 | X | X | X | ||||||||||||||||||||
PREVENT‑15 | X | ||||||||||||||||||||||
PREVENT‑16 | X | ||||||||||||||||||||||
PREVENT‑17 | X | X | X | X | X | ||||||||||||||||||
PREVENT‑18 | X | ||||||||||||||||||||||
PREVENT‑19 | X | X | |||||||||||||||||||||
PREVENT‑20 | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | |||||||
PREVENT‑21 | X | ||||||||||||||||||||||
PREVENT‑22 |
At the time of release, TAKEOVER-1 through TAKEOVER-9, in our opinion, are ordered in descending order of likelihood based on system defaults and our experiences testing SCCM hierarchies. Further additions will follow sequential order by release date.
With the exception of TAKEOVER, these techniques are numbered in no particular order. A higher or lower number does not represent our opinion of the item's importance, likelihood, or how it should be prioritized.
Techniques coded with a CRED moniker primarily abuse credential access. CRED techniques are the most common we've seen and often lead to direct hierarchy takeover or domain compromise.
Techniques coded with an ELEVATE moniker can be used for either local or domain privilege escalation. In some cases, these can be chained with other techniques for a hierarchy takeover primitive.
Techniques coded with an EXEC moniker can be used to execute commands, scripts, code, etc. on a remote target through SCCM's builtin functionality.
Techniques coded with a RECON moniker relate to either performing reconnaissance against SCCM infrastructure or using SCCM to conduct further reconnaissance.
Techniques coded with a TAKEOVER moniker describe the various steps necessary to compromise an SCCM hierarchy.
Defensive strategies coded with a CANARY moniker describe deception strategies that could be used to deceive adversaries in tripping a high-fidelity detection.
Defensive strategies coded with a DETECT moniker describe strategies for detecting offensive techniques. In some cases, multiple DETECT strategies may be required for a stronger detection.
Defensive strategies coded with a PREVENT moniker describe configuration changes to mitigate one or more aspects of an offensive technique. In some cases, multiple PREVENT strategies may be needed to fully mitigate an offensive technique.
NOTE: We strongly recommend proper and thorough testing of any changes before configuring them in a production environment. The authors and contributors of this repository are not responsible for any breaking changes. Use as a guide at your own risk.
Duane Michael, Chris Thompson, and Garrett Foster are the primary authors of this project, with contributions from Diego Lomellini and Josh Prager.
Please reach out to us on Twitter or join us in the #sccm
channel on the BloodHoundGang Slack if you have any questions or are interested in contributing!