SCCM - Other
Other SCCM Attack Techniques
Request policies without authentication - Automatic device approval enabled
- This one is similar to CRED-2, except we do not need domain credentials.
- Only need to know where the Management Point (-mp) is located at.
In these conditions, the only action that can be performed is attempting to exploit automatic device approval in order to retrieve secret policies without having a machine account at our disposal. By default devices are only enrolled in the collections All systems and All Desktop and Server clients.
Retrieve secret policies without providing a machine account. This will attempt to exploit the automatic device approval misconfiguration (non-default configuration):
Then check all the retrieved policies for credentials.
It is not possible to do this with sccmhunter:
Recommendation(s):
In the Configuration Manager go to: Administration > Site Configuration > Sites > Hierachy Setting > Client Approval and Conflicting Records. Make sure that Automatically approve all computers (not recommended) is not used.
If NAA credentials are found:
First, identify whether your SCCM environment is utilizing a Network Access Account (NAA). Follow Microsoft's guidance by switching to Enhanced HTTP. However, enhanced HTTP will not have an impact if the NAA credential blobs remain valid. Once you've phased out NAAs, proceed with disabling or deleting the NAA accounts in Active Directory.
Pivoting across collections by impersonating compromised SCCM clients
Several of the scenarios presented result in the retrieval of secret policies, whether through the exploitation of automatic device approval, or by providing a valid machine account. However, secret policies fetched in this way are limited to the collections automatically applied to new registered SCCM devices. Other SCCM clients in the internal network may be part of other, custom collections associated with other secret policies containing interesting credentials.
If you have local admin access to any SCCM client you can check if that client is part of collections that you are not yet part of (see RECON-4). If that is the case you might be able to retrieve the secret policies of that collection.
Remote dump SCCM device certifcate (does not work on Windows 11?):
Locally (doesn't work on Windows 11?):
Get the SCCM client GUID. Look for something like "Client is registered. Server assigned ClientID is GUID":
Then create a folder and add the guid to guid.txt and the private key to key.pem.
Next, run SCCMSecrets to request secret policies for that specific SCCM client:
Windows Session Hijacking via CcmExec
It is possible to coerce logged on domain users on a SCCM client and retrieve their NTLMv2 (or relay it). You need local admin on the client to do this, see: https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec?hl=en
Microsoft Configuration Manager (ConfigMgr / SCCM) 2403 Unauthenticated SQL injections (CVE-2024-43468)
This script exploits the CVE-2024-43468 that allows an unauthenticated attacker, with network access to a Management Point, to execute arbitrary SQL queries on the site database. Exploit/patch date: late 2024.
When KB29166583 is missing, all the following Microsoft Configuration Manager versions are vulnerable:
- < 2403 (5.00.9128.1024)
- < 2309 (5.00.9122.1033)
- < 2303 (5.00.9106.1037)
- < 2211 (*)
Exploit the management point and add a sysadmin to the MSSQL server:
Then login to the site database as sysadmin: