TL;DR It has been one year since Misconfiguration Manager’s release and the security community has been hard at work researching new tradecraft and identifying new attack paths. Here we summarize everything that we (the community) have done over the past year and the impact it’s making on the state of SCCM security.

Introduction

In 2024, Chris Thompson, Garrett Foster, and I released Misconfiguration Manager at SO-CON and TROOPERS. Our goal was to create a living repository of SCCM adversary tradecraft. The release was a success, and much of the lexicon has since been adopted by the security industry.

With SCCM gaining recognition as a common target for researchers, operators, and threat actors, it became obvious that the tempo of new research was increasing. Therefore, another key objective was to encourage community contributions. There’s simply far more work to be done than the three of us could ever tackle alone.

This blog summarizes and highlights the updates to Misconfiguration Manager from the community over the past year. It will not cover all the details of each technique, but you can reference misconfigurationmanager.com for that!

If you’re a defender or sysadmin and are wondering “what even is Misconfiguration Manager?”, or “how do I get started using it?”, check out https://github.com/subat0mik/Misconfiguration-Manager/tree/main?tab=readme-ov-file#remediation-quick-start

Additionally, we’d like to highlight the impact the project has had on SCCM security, something we’re particularly proud of.

Reflection & Impact

When we started this journey, we set out to make the world a safer place by demystifying the dangers of adversary tradecraft targeting the (almost) universal SCCM. We had two primary goals:

1. Raise awareness about SCCM security risks to drive improvements and protect enterprises globally
2. Promote community contributions through an accessible, inclusive project structure

As with any security research, we had our concerns about how it would be received by not only the security community, but also the sysadmins who use it regularly and the developers responsible for it.

At SO-CON 2024, we unveiled the project and it gained traction immediately. We quickly saw the buzz in the admin community and learned that we had an opportunity to help them. People were asking for a way to audit these misconfigurations that led to dangerous attacks. Chris promptly wrote a PowerShell script, MisconfigurationManager.ps1, to do just that.

He also invested a lot of time collaborating with the SCCM community, produced some joint presentations, and attended their MMS conferences. Tom Degreef and Kim Oppalfens deserve a special shout-out for all of their help, collaboration, and introductions to the SCCM community. We learned that the product teams at Microsoft appreciated the project and they quickly set to work addressing the issues we highlighted in Misconfiguration Manager.

Furthermore, the project certainly gained the attention of security researchers and offensive security practitioners. People listened when we said there’s much more work to do, a lot more attack surface to investigate, and more misconfigurations and bugs to discover. Spoiler: There STILL is!

We’ve heard (indirectly) that MSRC has seen more SCCM reports in the past six months than they had in the past six years!

We also know that Microsoft has reduced the size of its SCCM development team. We don’t know the direct reason for the reduction, though we can speculate. It could be related to the push of customers to Intune or to accelerate the death of SCCM. It could be a coincidental effect of Microsoft’s recent, wider layoff campaign.

There’s much more discussion about what this may mean on the /r/SCCM subreddit.

What we do know: Fewer developers likely implies fewer security vulnerabilities will receive fixes, or at least it will take longer to address them.

There has been some evidence of Microsoft improving SCCM security:

• In-console warnings for insecure configurations, such as network access accounts and a lack of EPA for the site database
• Support for EPA on the MSSQL site database, though it is not enforced
• Addition of a CMG enhanced security option

Regardless of Microsoft’s vision for SCCM’s future, a cold truth remains: Intune (for workstations) and Azure Arc (for servers) are still a long way from feature parity with SCCM and many enterprises will continue to use SCCM for years to come. Sound familiar? * Cough * Active Directory * Cough * 

The moral of the story here is Misconfiguration Manager and the continued research of the security community has directly impacted enterprise security around the world. Goal #1 achieved. We’re making a difference. And we’re not done yet.

Community Contributions & Thanks

Our second goal was to grow Misconfiguration Manager into a community project. Reflecting on how “Certified Pre-owned” unfolded, it was a massive hit but only captured a snapshot in time. Will and Lee captured so much information in the whitepaper, yet the community set to work and continued to develop new tooling, tradecraft, and TTPs. That information became scattered over various resources, as a whitepaper was not a living resource.

Will and Lee shared this perspective with us and coached us when we were getting started. They suggested a format that could easily be updated and contributed to. We chose to take it one step further: a format that could easily be updated and contributed to by anyone. So we settled on a simple GitHub repository.

While we released Misconfiguration Manager as a centralized resource, not all tooling or research covered therein was ours, and we always ensure we’re overly generous with crediting researchers. We always prefer if researchers submit a pull request to add their SCCM research to Misconfiguration Manager, but if they don’t, we’ll add it ourselves to ensure the repo remains up-to-date.

Now, we’d like to give some shout-outs to contributors who help make Misconfiguration Manager what it is!

Our colleague, Josh Prager, has contributed a wealth of information to the defensive guidance in the project. Most recently, Josh created DETECTs 5-8, which we’ve also seen implemented in the real world and have led to mitigations of various SCCM attacks on red team operations. Josh has presented his work at SOCON 24 and SOCON 25. Check them out!

Diego Lomellini contributed RECON-4 in the initial release of the project and more recently added COERCE-1, leading to the creation of the new COERCE category. COERCE-1 provides an alternative method to assume a user’s context by coercing NTLM authentication via CMPivot.

Adam Chester wrote new tooling for CRED-1 (cred1py) by making it possible to execute over SOCKS via C2 implant. This was much needed and brought CRED-1 to the arsenals of red team operators, not just penetration testers with network access.

Alberto Rodriguez and Erik Hunstad submitted a PR for CRED-6, as well as created tooling for looting SCCM distribution points (https://github.com/fortra/impacket/pull/1790 and https://github.com/badsectorlabs/sccm-http-looter).

Marshall Price wrote multiple blogs covering SCCM tradecraft and contributed ELEVATE-3 last year, and more recently DETECT-4.

Dylan Bradley found one of the most important pieces of tradecraft missing from the initial release: How to enumerate the remote site database (RECON-6), thus allowing attackers to easily identify TAKEOVER-1 targets. He also submitted a corresponding PR.

Release Notes

Here we’d like to highlight the changes that have been added to the project over the past year.

• Added RECON-6: Enumerate SCCM roles via the SMB Named Pipe winreg
• Added RECON-7: Enumerate SCCM site information via local files
• Added CRED-6: Loot domain credentials, SSH keys, and more from SCCM Distribution Points (DP)
• Added CRED-7: Retrieve credentials via AdminService API
• Added CRED-8: Retrieve credentials via WMI
• Updated CRED-1: Includes tooling and guidance to execute over C2
• Added ELEVATE-4: Distribution Point Takeover via PXE PKI Certificate
• Added ELEVATE-5: Distribution Point Takeover via OSD PKI Certificate
• Added EXEC-3: Host takeover via CM Remote Control
• Added a new COERCE category to capture SCCM-specific techniques used to coerce authentication from users or computers
• Added COERCE-1: NTLM coercion via CMPivot query
• Added COERCE-2: NTLM coercion via SCNotification AppDomainManager Injection
• Updated DETECT-4 to include more thorough MSSQL event descriptions and summary
• Added DETECT-5: Monitor group membership changes for SMS Admins
• Added DETECT-6: Monitor group membership changes for RBAC_Admins table
• Added DETECT-7: Monitor read access to the SMSTemp directory
• Added DETECT-8: Monitor connections to winreg named pipe
• Added DETECT-9: Monitor local object access for local SCCM logs and settings

And some that aren’t quite ready for release and/or finished yet:

• TAKEOVER-10: Currently with MSRC
• EXEC-3: Task sequence execution
• EXEC-4: Configuration baseline execution

Closing

We hope to expand our collaboration with the community. If you have questions or ideas, or you want to contribute but don’t know how… Let’s talk! There’s plenty of opportunities to contribute.

Please reach out to us on X or the #sccm channel BloodHound Slack with any feedback or questions!

This blog post accompanies our presentation at Troopers 25 on June 26. We’ll be in Track 2 (Entra/AD Security). Come hang out, say hi, and get some stickers!

Duane Michael — X, GitHub, @ subat0mik on Slack
Chris Thompson — X, GitHub, @ Mayyhem on Slack
Garrett Foster — X, GitHub, @ unsigned_sh0rt on Slack