Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/subat0mik/Misconfiguration-Manager

Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance.
https://github.com/subat0mik/Misconfiguration-Manager

Last synced: about 1 month ago
JSON representation

Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance.

Awesome Lists containing this project

README

        



Sponsored by SpecterOps


Slack


@subat0mik on Twitter


@_Mayyhem on Twitter


@unsigned_sh0rt on Twitter

---

# Misconfiguration Manager

![MM-cropped](https://github.com/subat0mik/Misconfiguration-Manager/assets/41414134/0c88e861-4b13-4722-a8b1-7db53f782ee8)

This repository serves as a central knowledge base for all known Microsoft Configuration Manager (a.k.a. MCM, ConfigMgr, System Center Configuration Manager, or SCCM) tradecraft and associated defensive and hardening guidance. Our goal is to help demystify SCCM tradecraft and simplify SCCM attack path management for defenders while also educating offensive security professionals on this nebulous attack surface. Designed to go beyond the static nature of whitepapers, this living repository documents known SCCM misconfigurations and their abuses and encourages ongoing contributions from the community to enhance its relevance and utility.

We've curated this repository to raise awareness of the rapidly evolving SCCM threat landscape, drawing inspiration from the [MITRE ATT&CK framework](https://attack.mitre.org/matrices/enterprise/), with a few deviations. We were also strongly influenced by Push Security's [SaaS attack techniques matrix](https://github.com/pushsecurity/saas-attacks/tree/main) as well as Will Schroeder and Lee Chagolla-Christensen's [Certified Pre-Owned](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf) whitepaper.

Our approach extends beyond cataloging the tactics of known adversaries to include contributions from the realm of penetration testing, red team operations, and security research. At SpecterOps, we've leveraged many misconfigurations highlighted in this repository in real-world environments, while others represent experimental and exploratory research projects proved out in a lab environment.

This project also serves as a central point of reference for all of the [SCCM attack and defense resources](./RESOURCES.md) that we're aware of.

We openly invite you to submit both proven and exploratory SCCM-focused attack techniques and defensive strategies and resources to this project and to provide any feedback and recommendations about the content in this repository.




# How to use this project

Start with the SCCM Attack Matrix and SCCM Attack and Defense Matrix below, which map attack techniques to their MITRE ATT&CK framework tactics, as well as to their detection and prevention strategies.

Offensive security practitioners may also benefit from reviewing the list of known and documented [Attack Techniques](./attack-techniques/_attack-techniques-list.md), which identifies the security context and network access that are required for each technique.

Defenders and IT administrators may benefit from reviewing the list of known and documented [Defense Techniques](./defense-techniques/_defense-techniques-list.md), which identifies the administrator roles we think are most likely to be involved in the implementation of each item.

Curious about how a hierarchy can be completely compromised in certain, mostly default conditions? Check out the list of [TAKEOVER techniques](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/TAKEOVER/_takeover-techniques-list.md).

If you aren't familiar with a term used in a technique's description, refer to the [glossary page](./GLOSSARY.md), which contains definitions for terms commonly used in SCCM.

If you'd like to test these techniques in a lab environment or learn more about SCCM attack and defense, please refer to the [resources page](./RESOURCES.md), which contains links to all the SCCM lab and attack/defense resources that we are aware of, many of which inspired and informed the information in this repository.

If we've overlooked anything or are missing credits for prior work, please reach out to us or submit a pull request and we'd be happy to make updates.




# SCCM Attack Matrix

| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration |
| :----------------------------------------------------------------------: | :------------------------------------------------------------------------: | :---------------------------------------------------------------------------------: | :----------------------------------------------------------------------------------------------: | :------------------------------------------------------------------------: | :---------------------------------------------------------------------------------------: | :----------------------------------------------------------------------------------: | :----------------------------------------------------------------------------------------------: | :-----------------------------------------------------------------: | :-----------------: | :-----------------------------------------------------------------: |
| [PXE Credentials](./attack-techniques/CRED/CRED-1/cred-1_description.md) | [App Deployment](./attack-techniques/EXEC/EXEC-1/exec-1_description.md) | [App Deployment](./attack-techniques/EXEC/EXEC-1/exec-1_description.md) | [Relay to Site System (SMB)](./attack-techniques/ELEVATE/ELEVATE-1/ELEVATE-1_description.md) | [App Deployment](./attack-techniques/EXEC/EXEC-1/exec-1_description.md) | [PXE Credentials](./attack-techniques/CRED/CRED-1/cred-1_description.md) | [LDAP Enumeration](./attack-techniques/RECON/RECON-1/recon-1_description.md) | [Relay to Site DB (MSSQL)](./attack-techniques/TAKEOVER/TAKEOVER-1/takeover-1_description.md) | [CMPivot](./attack-techniques/RECON/RECON-4/recon-4_description.md) | | [CMPivot](./attack-techniques/RECON/RECON-4/recon-4_description.md) |
| | [Script Deployment](./attack-techniques/EXEC/EXEC-2/exec-2_description.md) | [Script Deployment](./attack-techniques/EXEC/EXEC-2/exec-2_description.md) | [Relay Client Push Installation](./attack-techniques/ELEVATE/ELEVATE-2/ELEVATE-2_description.md) | [Script Deployment](./attack-techniques/EXEC/EXEC-2/exec-2_description.md) | [Policy Request Credentials](./attack-techniques/CRED/CRED-2/cred-2_description.md) | [SMB Enumeration](./attack-techniques/RECON/RECON-2/recon-2_description.md) | [Relay to Site DB (SMB)](./attack-techniques/TAKEOVER/TAKEOVER-2/takeover-2_description.md) | | | |
| | | [Relay to AD CS](./attack-techniques/TAKEOVER/TAKEOVER-3/takeover-3_description.md) | [Relay to Site DB (MSSQL)](./attack-techniques/TAKEOVER/TAKEOVER-1/takeover-1_description.md) | | [DPAPI Credentials](./attack-techniques/CRED/CRED-3/cred-3_description.md) | [HTTP Enumeration](./attack-techniques/RECON/RECON-3/recon-3_description.md) | [Relay Between HA](./attack-techniques/TAKEOVER/TAKEOVER-7/takeover-7_description.md) | | | |
| | | [Relay to LDAP](./attack-techniques/TAKEOVER/TAKEOVER-8/takeover-8_description.md) | [Relay to LDAP](./attack-techniques/TAKEOVER/TAKEOVER-8/takeover-8_description.md) | | [Legacy Credentials](./attack-techniques/CRED/CRED-4/cred-4_description.md) | [CMPivot](./attack-techniques/RECON/RECON-4/recon-4_description.md) | [App Deployment](./attack-techniques/EXEC/EXEC-1/exec-1_description.md) | | | |
| | | | [Relay to Site DB (SMB)](./attack-techniques/TAKEOVER/TAKEOVER-2/takeover-2_description.md) | | [Site Database Credentials](./attack-techniques/CRED/CRED-5/cred-5_description.md) | [SMS Provider Enumeration](./attack-techniques/RECON/RECON-5/recon-5_description.md) | [Script Deployment](./attack-techniques/EXEC/EXEC-2/exec-2_description.md) | | | |
| | | | [Relay to ADCS](./attack-techniques/TAKEOVER/TAKEOVER-3/takeover-3_description.md) | | [Client Push Installation Account](./attack-techniques/CRED/CRED-6/cred-6_description.md) | [Site Server Enumeration](./attack-techniques/RECON/RECON-6/recon-6_description.md) | [Relay to Site System (SMB)](./attack-techniques/ELEVATE/ELEVATE-1/ELEVATE-1_description.md) | | | |
| | | | [Relay CAS to Child](./attack-techniques/TAKEOVER/TAKEOVER-4/takeover-4_description.md) | | [Distribution Point Looting](./attack-techniques/CRED/CRED-6/cred-6_description.md) | | [Relay Client Push Installation](./attack-techniques/ELEVATE/ELEVATE-2/ELEVATE-2_description.md) | | | |
| | | | [Relay to AdminService](./attack-techniques/TAKEOVER/TAKEOVER-5/takeover-5_description.md) | | | | [Relay CAS to Child](./attack-techniques/TAKEOVER/TAKEOVER-4/takeover-4_description.md) | | | |
| | | | [Relay to SMS Provider (SMB)](./attack-techniques/TAKEOVER/TAKEOVER-6/takeover-6_description.md) | | | | [Relay to SMS Provider (SMB)](./attack-techniques/TAKEOVER/TAKEOVER-6/takeover-6_description.md) | | | |
| | | | [Relay Between HA](./attack-techniques/TAKEOVER/TAKEOVER-7/takeover-7_description.md) | | | | [SQL Linked as DBA](./attack-techniques/TAKEOVER/TAKEOVER-9/takeover-9_description.md) | | | |
| | | | [SQL Linked as DBA](./attack-techniques/TAKEOVER/TAKEOVER-9/takeover-9_description.md) | | | | | | | |
| | | | [Relay to Site DB (SMB)](./attack-techniques/TAKEOVER/TAKEOVER-2/takeover-2_description.md) | | | | | | | |


# SCCM Attack and Defense Matrix

| | CRED‑1 | CRED‑2 | CRED‑3 | CRED‑4 | CRED‑5 | CRED‑6 | ELEVATE‑1 | ELEVATE‑2 | ELEVATE‑3 | EXEC‑1 | EXEC‑2 | RECON‑1 | RECON‑2 | RECON‑3 | RECON‑4 | RECON‑5 | RECON‑6 | TAKEOVER‑1 | TAKEOVER‑2 | TAKEOVER‑3 | TAKEOVER‑4 | TAKEOVER‑5 | TAKEOVER‑6 | TAKEOVER‑7 | TAKEOVER‑8 | TAKEOVER‑9 |
| :-------------------- | :-----------: | :-----------: | :-----------: | :-----------: | :-----------: | :-----------: | :--------------: | :--------------: | :--------------: | :-----------: | :-----------: | :------------: | :------------: | :------------: | :------------: | :------------: | :------------: | :---------------: | :---------------: | :---------------: | :---------------: | :---------------: | :---------------: | :---------------: | :---------------: | :---------------: |
| **CANARY‑1** | X | X | X | X | X | X | | | | | | | | | | | | | | | | | | | | |
| **DETECT‑1** | | | | | | | X | X | X | X | | | | | | | | X | X | X | X | X | X | X | X | |
| **DETECT‑2** | | | | | | | | | | | | X | | | | | | | | | | | | | | |
| **DETECT‑3** | | | | | | | | X | X | X | | | | | | | | | | | | | | | | |
| **DETECT‑4** | | | | | | | | | | X | | | | | | | | | | | | | | | | |
| **DETECT‑5** | | | | | | | | | | | | | | | X | X | | X | X | | | | | | | |
| **PREVENT‑1** | | | | | | | | X | X | X | | | | | | | | | | | | | | | | |
| **PREVENT‑2** | | | | | | | | X | X | X | | | | | | | | | | | | | | | | |
| **PREVENT‑3** | X | X | X | X | | X | | | | | | | | | | | | | | | | | | | | |
| **PREVENT‑4** | | X | X | X | | X | | | | | | | | | | | | | | | | | | | | |
| **PREVENT‑5** | | | | | | | | X | X | X | | | | | | | | | | | | | | | | |
| **PREVENT‑6** | X | | | | | | | | | | | | | | | | | | | | | | | | | |
| **PREVENT‑7** | X | | | | | | | | | | | | | | | | | | | | | | | | | |
| **PREVENT‑8** | | X | | | | X | | X | | | | | | | | | | | | | | | X | | | |
| **PREVENT‑9** | | | | | | | | | | X | X | | | | | X | | X | | | | | X | | | |
| **PREVENT‑10** | | X | X | X | X | X | | | | | | | | | | | | | | | | | | | | |
| **PREVENT‑11** | | | | | | | | X | | | | | | | | | | | | X | | | | | X | |
| **PREVENT‑12** | | | | | | | X | X | X | X | | | | | | | | | X | | X | | X | X | | |
| **PREVENT‑13** | | | | | | | | | | | | | | | | | | | | | | | | | X | |
| **PREVENT‑14** | | | | | | | | | | | | | | | | | | X | | X | | X | | | | |
| **PREVENT‑15** | | | | X | | | | | | | | | | | | | | | | | | | | | | |
| **PREVENT‑16** | | X | | | | | | | | | | | | | | | | | | | | | | | | |
| **PREVENT‑17** | X | X | X | X | X | X | | | | | | | | | | | | | | | | | | | | |
| **PREVENT‑18** | | | | | X | | | | | | | | | | | | | | | | | | | | | |
| **PREVENT‑19** | | | | | X | | | | | | | | | | | | | | | | | | | | | X |
| **PREVENT‑20** | | | | | X | | X | | | X | X | | X | X | X | X | | X | X | X | X | X | X | X | X | |
| **PREVENT‑21** | X | | | | | | | | | | | | | | | | | | | | | | | | | |
| **PREVENT‑22** | | | | | | X | | | | | | | | | | | | | | | | | | | | |

---




# Taxonomy Overview

> At the time of release, TAKEOVER-1 through TAKEOVER-9, in our opinion, are ordered in descending order of likelihood based on system defaults and our experiences testing SCCM hierarchies. Further additions will follow sequential order by release date.

> With the exception of TAKEOVER, these techniques are numbered in no particular order. A higher or lower number does not represent our opinion of the item's importance, likelihood, or how it should be prioritized.

## Attack Techniques

### CRED

Techniques coded with a CRED moniker primarily abuse credential access. CRED techniques are the most common we've seen and often lead to direct hierarchy takeover or domain compromise.

### ELEVATE

Techniques coded with an ELEVATE moniker can be used for either local or domain privilege escalation. In some cases, these can be chained with other techniques for a hierarchy takeover primitive.

### EXEC

Techniques coded with an EXEC moniker can be used to execute commands, scripts, code, etc. on a remote target through SCCM's builtin functionality.

### RECON

Techniques coded with a RECON moniker relate to either performing reconnaissance against SCCM infrastructure or using SCCM to conduct further reconnaissance.

### TAKEOVER

Techniques coded with a TAKEOVER moniker describe the various steps necessary to compromise an SCCM hierarchy.




## Defense Techniques

### CANARY

Defensive strategies coded with a CANARY moniker describe deception strategies that could be used to deceive adversaries in tripping a high-fidelity detection.

### DETECT

Defensive strategies coded with a DETECT moniker describe strategies for detecting offensive techniques. In some cases, multiple DETECT strategies may be required for a stronger detection.

### PREVENT

Defensive strategies coded with a PREVENT moniker describe configuration changes to mitigate one or more aspects of an offensive technique. In some cases, multiple PREVENT strategies may be needed to fully mitigate an offensive technique.

**NOTE:** We strongly recommend proper and thorough testing of any changes before configuring them in a production environment. The authors and contributors of this repository are not responsible for any breaking changes. Use as a guide at your own risk.




# Contributors

[Duane Michael](https://twitter.com/subat0mik), [Chris Thompson](https://twitter.com/_Mayyhem), and [Garrett Foster](https://twitter.com/garrfoster) are the primary authors of this project, with contributions from:

- [Diego Lomellini](https://twitter.com/DiLomSec1)
- [Josh Prager](https://twitter.com/Praga_Prag)
- [Marshall Price](https://twitter.com/__Mastadon)
- [Alberto Rodriguez](https://x.com/__ar0d__)

Please reach out to us on Twitter or join us in the `#sccm` channel on the [BloodHoundGang Slack](https://bloodhoundgang.herokuapp.com/) if you have any questions or are interested in contributing!