Researcher that helped compile the knowledge base of common misconfigurations in SCCM releases scanner MisconfigurationManager.ps1. Credit: Gorodenkoff / Shutterstock One of the researchers that recently compiled a knowledge base of common misconfigurations and attack techniques impacting Microsoft System Center Configuration Manager (SCCM), has developed an open-source scanner to help administrators more easily identify those weaknesses in their SCCM environments. “Although we detailed how to carry out, mitigate, and detect each of these attacks in the knowledge base, we soon realized from our discussions with defenders and SCCM administrators that not everyone has the bandwidth, privileges, or permission to demonstrate these attacks to their organization,” Chris Thompson, an adversary simulation specialists at security firm SpecterOps, said in a blog post. “The best advice we could give at the time was to ask someone with SCCM privileges to manually review the environment for misconfigurations… until now!” SCCM scanner MisconfigurationManager.ps1 His new scanner is implemented as a PowerShell script called MisconfigurationManager.ps1 and is available on GitHub. For now it is able to identify insecure configurations that enable eight of the nine SCCM hierarchy takeover techniques described in the knowledge base, as well as two techniques that can be used for privilege escalation and lateral movement.The Misconfiguration Manager knowledge base, also available on GitHub, organizes the documented SCCM attack techniques into several categories: CRED, five techniques that can be used for various types of credential extraction; ELEVATE, two techniques that can be used for privilege escalation and lateral movement; EXEC, two techniques for remote code execution; RECON, five techniques for identifying SCCM systems; and TAKEOVER, eight techniques that can be used to take over an SCCM hierarchy which will usually result in a full domain control.The knowledge base also includes defensive articles that are split into PREVENT, DETECT and CANARY categories and cover configuration changes to SCCM that can directly mitigate a specific attack technique.Thompson plans to further expand his scanner to also cover the last TAKEOVER technique as well as the CRED attacks and wants to publish it on PowerShell Gallery, the official repository for PowerShell scripts.The script can be run with any security role in SCCM (including read-only analyst) against any SMS provider and leverages the Windows Management Instrumentation (WMI) to interact with the WMI, registry and the service control manager on the systems that are part of a SCCM site. Thompson advises users to run it with local admin privileges and network connectivity to RPC and SMB on site systems in order to avoid false positives and obtain the most accurate results.SCCM allows system administrators to remotely deploy applications, software updates, operating systems and compliance settings to a wide range of Windows servers and workstations. It is a Microsoft technology that has existed under various names for almost 30 years and is extremely widespread in Active Directory environments. This also means the technology has a large amount of technical debt from many years of development, with many of its default configurations being insecure according to the SpecterOps specialists, who regularly perform penetration testing and red team engagements.Many other researchers have documented SCCM security risks and attacks over the years, highlighting that it’s an often overlooked attack surface. Just two weeks ago, researchers from GuidePoint Security presented a method of compromising the SCCM client push account and SCCM machine account, which can lead to a full SCCM site takeover. Related content brandpost Sponsored by Microsoft Security Want to drive more secure GenAI? Try automating your red teaming Automation can enhance an AI red teamer’s existing domain expertise while offloading tedious tasks. Learn more today. By Microsoft Security Apr 29, 2024 5 mins Security news analysis Marriott admits it falsely claimed for five years it was using encryption during 2018 breach Marriot revealed in a court case around a massive 2018 data breach that it had been using secure hash algorithm 1 and not the much more secure AES-1 encryption as it had earlier maintained. By Evan Schuman Apr 29, 2024 6 mins Data Breach Encryption Legal brandpost Sponsored by Palo Alto Networks Is your hybrid/multicloud strategy putting your organization at risk? For all the flexibility and cost management upsides to hybrid/multicloud infrastructure, there is a major trade-off: Complexity can breed security risks. By Pete Bartolik Apr 29, 2024 4 mins Security news UK’s revamped surveillance rules become law despite industry opposition A new law expanding the Investigatory Powers Act, the UK’s already-controversial surveillance and data access rules, became law last week. By John Leyden Apr 29, 2024 4 mins Government Mobile Security Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe