One of many researchers that not too long ago compiled a data base of frequent misconfigurations and assault methods impacting Microsoft System Heart Configuration Supervisor (SCCM), has developed an open-source scanner to assist directors extra simply determine these weaknesses of their SCCM environments.
“Though we detailed methods to perform, mitigate, and detect every of those assaults within the data base, we quickly realized from our discussions with defenders and SCCM directors that not everybody has the bandwidth, privileges, or permission to show these assaults to their group,” Chris Thompson, an adversary simulation specialists at security agency SpecterOps, stated in a weblog submit. “The very best recommendation we may give on the time was to ask somebody with SCCM privileges to manually overview the surroundings for misconfigurations… till now!”
SCCM scanner MisconfigurationManager.ps1
His new scanner is carried out as a PowerShell script known as MisconfigurationManager.ps1 and is offered on GitHub. For now it is ready to determine insecure configurations that allow eight of the 9 SCCM hierarchy takeover methods described within the data base, in addition to two methods that can be utilized for privilege escalation and lateral motion.
The Misconfiguration Supervisor data base, additionally accessible on GitHub, organizes the documented SCCM assault methods into a number of classes: CRED, 5 methods that can be utilized for varied forms of credential extraction; ELEVATE, two methods that can be utilized for privilege escalation and lateral motion; EXEC, two methods for distant code execution; RECON, 5 methods for figuring out SCCM techniques; and TAKEOVER, eight methods that can be utilized to take over an SCCM hierarchy which can normally lead to a full area management.
The data base additionally consists of defensive articles which are break up into PREVENT, DETECT and CANARY classes and canopy configuration adjustments to SCCM that may immediately mitigate a particular assault method.
Thompson plans to additional broaden his scanner to additionally cowl the final TAKEOVER method in addition to the CRED assaults and desires to publish it on PowerShell Gallery, the official repository for PowerShell scripts.
The script could be run with any security position in SCCM (together with read-only analyst) towards any SMS supplier and leverages the Home windows Administration Instrumentation (WMI) to work together with the WMI, registry and the service management supervisor on the techniques which are a part of a SCCM web site. Thompson advises customers to run it with native admin privileges and community connectivity to RPC and SMB on web site techniques in an effort to keep away from false positives and procure probably the most correct outcomes.
SCCM permits system directors to remotely deploy functions, software program updates, working techniques and compliance settings to a variety of Home windows servers and workstations. It’s a Microsoft know-how that has existed underneath varied names for nearly 30 years and is extraordinarily widespread in Lively Listing environments. This additionally means the know-how has a considerable amount of technical debt from a few years of improvement, with a lot of its default configurations being insecure in keeping with the SpecterOps specialists, who usually carry out penetration testing and purple crew engagements.
Many different researchers have documented SCCM security dangers and assaults over time, highlighting that it’s an typically missed assault floor. Simply two weeks in the past, researchers from GuidePoint Safety introduced a technique of compromising the SCCM shopper push account and SCCM machine account, which might result in a full SCCM web site takeover.
