Home

Introduction

SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for credential gathering and lateral movement without requiring access to the SCCM administration console GUI.

Features

• User location and lateral movement functions ported from PowerSCCM
• Requesting NTLM authentication from SCCM clients for lateral movement
• Credential gathering (Network Access Accounts) by Duane Michael @subat0mik
• Requesting and Unobfuscating NAAs by Adam Chester @_xpn_
• Functionality to abuse newly discovered attack primitives for coercing NTLM authentication from SCCM servers in sites where automatic site-wide client push installation is enabled, which can allow takeover of SCCM
• CMPivot query execution via the AdminService API

This tool can be used to demonstrate the impact of configuring SCCM without the recommended security settings.

SharpSCCM works from any Windows machine running the SCCM client software and leverages Windows Management Instrumentation (WMI) and the ConfigMgr Client Messaging SDK to communicate with SCCM management points.

Defensive Recommendations

ConfigMgr

• Install hotfix KB15599094 and disable NTLM for client push installation (prevents coercion via client push)
• Use Enhanced HTTP and disable network access accounts
• Disable automatic site-wide client push installation, use software update-based installation instead
• Set a strong PXE boot password (prevents cracking to obtain OSD creds)
• Disable "F8-Debugging" (uncheck the "Enable command support" option) in production PXE boot networks
• Require PKI certificates for client authentication (prevents rogue device registration)
• Enable multi-factor authentication for SMS Provider calls
• Don't use over-privileged credentials (e.g., Domain Admins) for NAA/client push/domain join/task sequences/collection variables
• Don't enable WebClient on site systems (prevents coercion via HTTP)
• Don't manage tier zero assets (e.g., domain controllers) with ConfigMgr or treat ConfigMgr as tier zero
• Access the ConfigMgr console using accounts in the same tier as the devices in the site

Domain/Server

• Require SMB signing on all site systems (prevents relay to SMB)
• Require LDAP signing or channel binding on domain controllers (prevents relay to LDAP)
• Require Extended Protection for Authentication (EPA) on AD CS servers (prevents relay to HTTP)
• Disable network access accounts in AD after ConfigMgr transition to Enhanced HTTP
• Disable SeMachineAccountPrivilege/MachineAccountQuota for non-admin users to prevent them from adding computers to the domain
• Remove Extended Rights assignment from users who do not require this permission (prevents GetLAPSPassword for created accounts)
• Move from legacy LAPS to Windows LAPS in Azure with password encryption enabled

Database

• Require Extended Protection for Authentication (EPA) on the site database (prevents relay to MSSQL)
• Don't link other databases to your site database, especially with DBA privileges
• Set strong passwords for DBA accounts

Firewall/Network

• Block all unnecessary connections to site systems, especially SMB and MSSQL (reduces coercion via SMB and relay to SMB/MSSQL)
• Only support PXE boot on VLANs restricted to authorized administrators

Security

• Monitor for suspicious activity on site systems and using site accounts
  • Site system computer accounts authenticating from an IP address that isn't their static IP
  • Client push installation accounts authenticating from anywhere other than the primary site server
  • Canary network access accounts and client push installation accounts authenticating anywhere
  • Legitimate network access accounts authenticating to anywhere other than a distribution point
  • Unusual application deployments in the site's Audit Status Messages

More ideas for detection opportunities can be found in the Detection Guidance section of this post: https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a. Please reach out or submit an update if you have any other practical detection ideas that have minimal impact on user experience, performance, additional overhead, etc.

Development

Microsoft's Windows and Office 365 deployment lab kit can deploy a fully operational SCCM lab in Hyper-V in less than an hour. You only need the following systems to begin testing SharpSCCM functionality:

• CM1: Configuration Manager Primary Site Server, Management Point, and Site Database Server
• GW1: Configuration Manager Client
• DC1: Domain Controller

You could also consider deploying a lab in Azure using a template, AutomatedLab, or Snaplabs.

For debugging, I share a directory in GW1 that is accessible from my host running Visual Studio, execute the Visual Studio Remote Debugger on GW1, configure a post-build job to copy the solution files to the share on GW1, and configure Visual Studio to remote debug on GW1.

My Research

• Coercing NTLM Authentication from SCCM
• Relaying NTLM Authentication from SCCM Clients
• SCCM Site Takeover via Automatic Client Push Installation
• SCCM Hierarchy Takeover
• Hierarchy Takeover without SOCKS

Research is ongoing to add SharpSCCM features to:

• execute SharpSCCM actions in environments that require PKI certificates

My Videos/Talks

• Black Hat USA Arsenal 2022: SharpSCCM
• Black Hat USA Arsenal 2023: SharpSCCM - Abusing Microsoft's C2 Framework
• Black Hat USA SpecterOps Booth 2023: SharpSCCM - Abusing Microsoft's C2 Framework

Offensive SCCM Resources by Other Awesome People

• Active Directory Spotlight: Attacking The Microsoft Configuration Manager (SCCM/MECM), by Carsten Sandker (@0xcsandker)
• An Inside Look: How to Distribute Credentials Securely in SCCM, by Christopher Panayi
• CISA Red Team Report Featuring SCCM, by CISA
• Client Push Installation Abuse, by Matt Nelson (@enigma0x3)
• CMLoot, by Tomas Rzepka (@1njected)
• cmloot, by Andreas Vikerup and Dan Rosenqvist
• CMPivot SharpSCCM Support, by Diego Lomellini (@DiLomSec1)
• Deobfuscator Implementation in Python by @SkelSec
• Exploring SCCM by Unobfuscating Network Access Accounts, by Adam Chester (@xpn)
• Get Secrets via PXE Media Certificates SharpSCCM PR, by Carsten Sandker (@0xcsandker)
• Grow Your Own SCCM Lab, by @HTTP418
• impacket SCCM Relay, by Matt Creel (@Tw1sm)
• Looting Microsoft Configuration Manager, by Tomas Rzepka (@1njected)
• Mimikatz misc::sccm, by Benjamin Delpy (@gentilkiwi)
• Mimikatz dpapi::sccm, by Benjamin Delpy (@gentilkiwi)
• MalSCCM, by Phil Keeble (@The_Keeb)
• Offensive Operations with PowerSCCM, by Matt Nelson (@enigma0x3)
• Offensive SCCM Summary, by @HTTP418
• Owning One to Rule Them All, by Dave Kennedy (@HackingDave) and Dave DeSimone
• PowerSCCM, by Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Jared Atkinson (@jaredcatkinson), and Matt Graeber (@mattifestation)
• Pulling Passwords Out of Configuration Manager, by Christopher Panayi
• Push, by Vulnlab
• Push Comes to Shove: Exploring SCCM Attack Paths, by Brandon Colley (@TechBrandon)
• Push Comes to Shove Part 1, by Brandon Colley (@TechBrandon)
• Push Comes to Shove Part 2, by Brandon Colley (@TechBrandon)
• PXEThief, by Christopher Panayi
• pxethiefy, by Carsten Sandker (@0xcsandker)
• Red Team Ops SCCM Module, by Zero Point Security (@zeropointsecltd)
• SCCM Credential Recovery for Network Access Accounts, by Evan McBroom (@mcbroom_evan)
• SCCM Decrypt POC, by Adam Chester (@xpn)
• SCCM w/ Garrett Foster (@garrfoster), by Brandon Colley (@TechBrandon) at Trimarc Happy Hour
• SCCM Exploitation: The First Cred is the Deepest II, by Gabriel Prud'homme (@vendetce)
• SCCM/MECM Hacker Recipes, by Charlie Bromberg (@_nwodtuhs)
• sccmhunter, by Garrett Foster (@garrfoster)
• sccmwtf, by Adam Chester (@xpn)
• SharpDPAPI SCCM Credential Gathering Support, by Duane Michael (@subat0mik)
• Site Takeover via SCCM's AdminService API, by Garrett Foster (@garrfoster)
• Snaplabs SCCM Lab Template, by @an0n_r0
• SQLRecon SCCM Module, by Sanjiv Kawa (@sanjivkawa)
• Targeted Workstation Compromise with SCCM, by Matt Nelson (@enigma0x3)
• The Phantom Credentials of SCCM: Why the NAA Won't Die, by Duane Michael (@subat0mik)
• We Have C2 at Home: Leveraging Microsoft's C2 Framework, by Garrett Foster (@garrfoster)

Supporters

The time I'm able to spend researching, developing, and improving SharpSCCM would not be possible without SpecterOps's sponsorship of the project as part of their commitment to transparency and support for open-source development. I'm immensely grateful for their guidance and support.

Contributions

The following people have contributed to this project:

• Duane Michael (@subat0mik)
• Evan McBroom (@EvanMcBroom)
• Diego Lomellini (@DiLomSec1)
• Carsten Sandker (@0xcsandker)

Some features were built based on the work of the following people:

• Matt Nelson (@enigma0x3)
• Will Schroeder (@harmj0y)
• Benjamin Delpy (@gentilkiwi)
• Adam Chester (@xpn)
• Garrett Foster (@garrfoster)
• guervild

Special thanks to others who submitted PRs/fixes:

• John Lambert (@JohnLaTwC)

If you're interested in collaborating, please hit me up on Twitter (@_Mayyhem) or the BloodHoundGang Slack!