Open-source scanner can identify risky Microsoft SCCM configurations

One of the researchers that recently compiled a knowledge base of common misconfigurations and attack techniques impacting Microsoft System Center Configuration Manager (SCCM), has developed an open-source scanner to help administrators more easily identify those weaknesses in their SCCM environments.

“Although we detailed how to carry out, mitigate, and detect each of these attacks in the knowledge base, we soon realized from our discussions with defenders and SCCM administrators that not everyone has the bandwidth, privileges, or permission to demonstrate these attacks to their organization,” Chris Thompson, an adversary simulation specialists at security firm SpecterOps, said in a blog post. “The best advice we could give at the time was to ask someone with SCCM privileges to manually review the environment for misconfigurations… until now!”

SCCM scanner MisconfigurationManager.ps1

His new scanner is implemented as a PowerShell script called MisconfigurationManager.ps1 and is available on GitHub. For now it is able to identify insecure configurations that enable eight of the nine SCCM hierarchy takeover techniques described in the knowledge base, as well as two techniques that can be used for privilege escalation and lateral movement.

The Misconfiguration Manager knowledge base, also available on GitHub, organizes the documented SCCM attack techniques into several categories: CRED, five techniques that can be used for various types of credential extraction; ELEVATE, two techniques that can be used for privilege escalation and lateral movement; EXEC, two techniques for remote code execution; RECON, five techniques for identifying SCCM systems; and TAKEOVER, eight techniques that can be used to take over an SCCM hierarchy which will usually result in a full domain control.

The knowledge base also includes defensive articles that are split into PREVENT, DETECT and CANARY categories and cover configuration changes to SCCM that can directly mitigate a specific attack technique.

Thompson plans to further expand his scanner to also cover the last TAKEOVER technique as well as the CRED attacks and wants to publish it on PowerShell Gallery, the official repository for PowerShell scripts.

The script can be run with any security role in SCCM (including read-only analyst) against any SMS provider and leverages the Windows Management Instrumentation (WMI) to interact with the WMI, registry and the service control manager on the systems that are part of a SCCM site. Thompson advises users to run it with local admin privileges and network connectivity to RPC and SMB on site systems in order to avoid false positives and obtain the most accurate results.

SCCM allows system administrators to remotely deploy applications, software updates, operating systems and compliance settings to a wide range of Windows servers and workstations. It is a Microsoft technology that has existed under various names for almost 30 years and is extremely widespread in Active Directory environments. This also means the technology has a large amount of technical debt from many years of development, with many of its default configurations being insecure according to the SpecterOps specialists, who regularly perform penetration testing and red team engagements.

Many other researchers have documented SCCM security risks and attacks over the years, highlighting that it’s an often overlooked attack surface. Just two weeks ago, researchers from GuidePoint Security presented a method of compromising the SCCM client push account and SCCM machine account, which can lead to a full SCCM site takeover.