Using SCCM to violate best practices
This is my first public blog, so please be gentle. 😛 One of the things that IT professionals preach about is centralized administration. They will tell you how easy it is to track, manage, and push out updates to endpoints easily and safely to a network. What they don’t seem to think about is the benefit this is to an attacker. If you are not familiar with SCCM, you should read Matt Nelson’s blog on SCCM as well as Dave Kennedy’s talk on SCCM. One of my favorite parts about SCCM per the best practices is linking authentication to Windows authentication… aka linking up to Active Directory. Keep in mind that this is based on the fact that you have already gained Domain Admin (DA) to a network.
Once an attacker gains DA, he moves from regular post exploitation mode to a more targeted attack approach. Legacy methods would be to map shares to boxes that we think the admin’s locally reside on, or trying to find network shares where sensitive data resides. This can become very noisy and increase your opsec risk profile. I am a big fan of minimizing my artifacts I leave behind to include not interactively logging in or even touching a box unless there is a reason. Utilizing centralized administration software or security products works great in minimizing my footprint. It also leads me to the “treasure” faster since I can get the answers to the questions I care about such as:
- Where do the administrators spend most of their time?
- Where does everyone dump their “datas”?
- Which computers have the greatest chance of containing the “treasure” I am looking for?
- Are there any domains I don’t know about that I can expand into?
Using SQL and Neo4, I was able to not only find the answer to the above, but also develop an interactive program that would show me the fastest attack path from any node. This turns out to be great to show visualize attack patterns.
To view my queries I use, check out my Github . The rest of this blog post will be how I visualize this.
I utilize Get-PrivyUsers.ps1 and Get-CriticalComputers.ps1 to determine my valuable assets and users in the domain. Next I will run RunningApplications.sql (Invoke-Sqlcmd in PosH works great) to get all the running applications in a network. Next, I will get a list of all users in the network (this is just to get meta for everyone):
Get-ADUser -filter * |Select-Object -Property SamAccountName, name|Export-Csv -NoTypeInformation users.csv
I will then query for who is the Primary user as well as the Top user of each computer. In most engagements, I find that this differs from what people think.
Finally, I setup Neo4J and wrote a simple import script in Python that takes this data and ingests it: Neo4j_Integration.py
MATCH (u:User) WHERE n.samAccountName =
Next thing I was able to do is the same thing but with the Privilege Users on the domain. This turned up some really interesting information since we were able to find users that had access to Domain Controllers who were not part of any Admins group or followed the companies naming convention.
MATCH (p:PrivyUser) RETURN p
Now we can expand these out to determine where users spend most of there time. Why is this important? I find that most people store things locally on their desktops or in folders on their “personal” machines. So by knowing where a user spends most of his time we can make hypothesis that increase our accuracy of finding IP or other sensitive information.
Other things I have noted from doing this research.
- Most servers don’t have a primary user
- Most servers reside on a segmented network which we can see visually without having to scan up network ranges to find
- This also helped when trying to logically map out a network
Now when we play the 6 degrees of Kevin Bacon to look for our fastest route to get to a critical box, we get something like this:
From here we can see that if an attacker wanted to, after he landed on User1-comp, he could use mimikatz and dump “Service-Acct” password and log into User11-comp. Then we can get “User11-adm” password and login to the DC.
Adding in running applications, I have already done this and the code is on my Github, but I need to redesign the front end to expand only certain properties of a node. Once this is done we can add all other meta about an object. Also, I want to replace computer nodes with squares so it is easier to differentiate.
Active Directory is one of the most targeted applications out there and as an admin, we really need to consider what objects we send to centralized administration. Maybe the safest bet is to isolate the highly sensitive computers from the domain. Centralized administration is awesome but we have to make sure we know what the risks are as well as what the data source is sending us.
Great first post, keep up the blogging and development work!!
We have lots of security blog about how to compromise an organization, however not many on how to protect against them – would you consider expanding your final thoughts section (or maybe a separate blog post) on how you’d detect, and/or mitigate against this type of attack?
Thanks for the feedback. I have another writeup on how Blue Teams can use this and ingest other data from SCCM to be able to possibly detect lateral movements. I will try and have that out by end of February.
Great post and I am looking forward to the blue team follow-up as well.
Check out this project which shares the same base idea: graphing relations between AD entities to find non-trivial paths. https://github.com/ANSSI-FR/AD-control-paths
Very informational and easy to follow for individuals new to this career field!
Since when have you known all this stuff? 😉
What’s up to every body, it’s my first go to see of this weblog; this blog carries remarkable and truly excellent
data for readers.