Researchers Expose Microsoft SCCM Misconfigurations Usable in Cyberattacks



Security researchers have created a knowledge base repository for attack and defense techniques based on improperly setting up Microsoft's Configuration Manager, which could allow an attacker to execute payloads or become a domain controller. Configuration Manager (MCM), formerly known as System Center Configuration Manager (SCCM, ConfigMgr), has been around since 1994 and is present in many Active Directory environments, helping administrators manage servers and workstations on a Windows network. It has been the object of security research for more than a decade as an attack surface [1, 2, 3] that could help adversaries gain administrative privileges on a Windows domain. At the SO-CON security conference today, SpecterOps researchers Chris Thompson and Duane Michael announced the release of Misconfiguration Manager, a repository with attacks based on faulty MCM configurations that also provides resources for defenders to harden their security stance. The two researchers say that MCM/SCCM is not easy to set up and that many of the default configurations leave room for attackers to take advantage. In a blog post, Michael illustrates that the most common and damaging misconfiguration that researchers see in their engagements are network access accounts (NAA) with too many privileges. To demonstrate the risk of a misconfigured MCM/SCCM deployment, the researcher outlined an experience where the team was able to get into the central administration site (CAS) database of MCM/SCCM and grant themselves a full administrator role. Considering that it is widely adopted and must be installed in an Active Directory domain, MCM/SCCM can decrease a company's security posture if improperly configured, a task fit for an experienced administrator.

Security Officer Comments:

MCM/SCCM is a vulnerable attack surface that, if not properly configured, could allow an attacker to grant themselves administrative privileges that they can leverage to execute a payload and further compromise the environment. The Misconfiguration Manager aims to prevent the utilization of this attack surface by curating a matrix that highlights the misconfigurations that can be exploited by a threat actor. This matrix can provide useful insight to offensive security practitioners and defenders. By outlining common attack TTPs, categorizing them, and directly correlating them with defensive tactics, this tool can help administrators create modern security measures for an old, but commonly adopted software.

Suggested Corrections:

The Misconfiguration Manager repository created by Chris Thompson, Garrett Foster, and Duane Michael aims to help administrators better understand Microsoft's tool. Currently, the repository describes 22 techniques that could be used to attack MCM/SCCM directly or to leverage it in post-exploitation stages. For each attack method, the researchers also provide information to protect the environment against each of the presented offensive techniques. Although tested by the creators of Misconfiguration Manager, administrators are strongly advised to test the defense methods provided in the repository before implementing them in a production environment.

The MCM/SCCM Misconfiguration Manager (via GitHub)