In this final chapter of the book, we will focus on attacking infrastructure management solutions. These are valuable and attractive targets for an adversary as such systems are operated under highly privileged accounts with access to almost every piece of the target environment. Windows Server Update Services (WSUS) is a service to deploy updates to the client computers in a centralized manner. Microsoft Endpoint Configuration Management (MECM) – formerly known as System Center Configuration Manager (SCCM) – is an on-premises management solution for endpoints. This product helps IT professionals run system inventory, patching, software deployment, and so on.

We will start by discussing known attacks on WSUS and then show how it can be abused for lateral movement. However, the main focus of this chapter is on SCCM. After the introduction and necessary theory, we will move on to the deployment stage. When our lab is ready, it is time to go...

In this chapter, you will need to have access to the following:

• VMware Workstation or Oracle VirtualBox with at least 16 GB of RAM, 8 CPU cores, and at least 55 GB of total space (more if you take snapshots)
• Linux-based operating system is strongly recommended
• From GOADv2 project we will use DC01, SRV01
• From DetectionLab we will use DC, WEF, Win10.

In most corporate environments, updates are distributed and installed centrally by administrators. For Windows-based infrastructure, the way to go is to install a WSUS server role on one of the servers in the network and force clients and servers to use it as a source of updates. WSUS can help to eliminate risks related to missing patches but can also be a target for compromise. The reason is simple: attackers can use it to distribute malicious code that will be automatically downloaded and installed and looks legitimate and trustworthy. Clients will get all the required information about the WSUS server by querying the registry key values in HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate. In essence, WSUS is a Simple Object Access Protocol (SOAP) XML web service. All updates must be signed by Microsoft, and WSUS checks the digital signature and hash of every update. However, Transport Layer Security (TLS) is not enabled by default, opening the first opportunity...

SCCM is a complicated piece of software with its own hierarchy and terms. We will start with the required theory. In essence, SCCM utilizes client-server architecture, where an agent is installed on endpoints and then called back to the server.

Note

Hierarchy designs are described by Microsoft here: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/design-a-hierarchy-of-sites.

In our lab, we will deploy a single standalone primary site. The secondary site can be added for scalability purposes in a bigger environment. Also, if there are more than two primary sites, you will need a central administration site, which is used only for managing sites, not the clients. Every site has a three-letter site code. Clients are grouped in boundary groups based on, surprise, boundaries. Network range or Active Directory (AD) group membership are good examples of boundaries. Also, it is possible to perform discovery tasks and automatically...

In this section, we will discuss reconnaissance, as well as enumeration. We will briefly cover how to identify SCCM only with network access and then dive deeper into the assume breach scenario.

To identify SCCM infrastructure from a non-domain-joined machine, the attacker may perform a simple port scan looking for TCP ports 8530 and 8531 (Software Update point), 10123 (Management point), and 4022 and 1433 (SQL Server). Also, the UDP port 4011 might be an indicator of the Preboot Execution Environment (PXE) boot media being offered. SCCM can be deployed with or without a PXE offering called Operating System Deployment (OSD). We do not have PXE deployed in our lab, but there are some promising vectors to consider.

To check whether PXE is available in the environment, there is a tool called PXEThief[11]. This tool sends a DHCP discover request to search for PXE servers and fetch PXE boot files. If PXE media is encrypted, then the attacker needs to guess or crack...

This section will be focused on privilege escalation via credential harvesting and authentication coercion. For harvesting, we will need a local Administrator account.

Client push authentication coercion

As we did in previous chapters, here, we will split hash capture and relay phases as well. Our goal is to coerce client push installation account authentication against our controlled machine to capture the NTLM response.

Note

Coercion attacks were presented by Mayyhem in his blog post at https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a.

The important fact is that the attack does not require administrative privileges; the captured client push installation account’s NTLM response will grant administrative access to all other machines where such an account has been used. The main prerequisites are automatic client assignment for a boundary group, automatic site-wide push installation, and allowed connection fallback...

SCCM by design is an excellent software for lateral movement. Agents are installed throughout the environment; highly privileged accounts are used to perform administrative tasks. Also, it is a good opportunity to blend in legitimate traffic and activities. We will start our discussion about lateral movement by extending coercion authentication to relay attacks.

Client push authentication relay attack

This attack is very similar to the one we did in the Privilege escalation section previously. The only difference is that this time, we would like to relay the captured NTLM response to another machine. (Just a reminder: the relay requires signing to be disabled). On the client side, the attack is exactly the same. On our listening machine, we start ntlmrelayx:

impacket-ntlmrelayx -t 192.168.56.106 -smb2support

After enforcing the client push installation, we relayed it to the Exchange server and dumped SAM hashes, as shown in the following screenshot:

Defensive recommendations are a part of the great SharpSCCM wiki. Here, we will cover the ones that are most effective but also easy to implement. I will not repeat things such as install updates, ensure that privileged accounts use strong passwords, audit activities, enforce signing if possible, and so on. Let’s look at some defensive recommendations:

• To prevent coercion, NTLM fallback should be disabled
• Disable NAAs in the domain and use enhanced HTTP instead
• Use the Software Update functionality to install clients instead of Automatic site-wide client push installation
• Clean task sequences and device collection variables from sensitive data
• For PXE, set a strong password for media and disable F8 Debugging
• Check service accounts to ensure the least privileges principle is applied
• Do not run the web client service to avoid HTTP coercion
• Enable multi-factor authentication for SMS provider calls[17]
• Require Extended...

This chapter covered techniques and attacks on IT administration software. We have briefly discussed ways to compromise WSUS and the available tooling for such adversary activity. Furthermore, we had a deep dive into the SCCM ecosystem and saw in practice how misconfiguration can lead to the complete overtake of the environment. Later, in the Defensive recommendations section, I stressed the three most important recommendations to improve the SCCM security posture.

Overall, this entire book should demonstrate how complex Windows-based infrastructure is, and how many hidden parts it has. Clearly, new vulnerabilities and attack vectors will appear regularly, but there are enough security mechanisms to make the life of an adversary much harder.

1. PyWSUS: https://github.com/GoSecure/pywsus
2. bettercap: https://github.com/bettercap/bettercap
3. WSUS Attacks: https://www.gosecure.net/blog/2020/09/03/wsus-attacks-part-1-introducing-pywsus/
4. WSuspicious: https://github.com/GoSecure/WSuspicious
5. Deploy WSUS: https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services
6. WSUS Group Policy Settings to Deploy Updates: https://woshub.com/group-policy-settings-to-deploy-updates-using-wsus/
7. SharpWSUS: https://github.com/nettitude/SharpWSUS
8. WSUSpendu: https://github.com/alex-dengx/WSUSpendu
9. PSExec: https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
10. The Hacker Recipes website: https://www.thehacker.recipes/ad/movement/sccm-mecm
11. PXEThief: https://github.com/MWR-CyberSec/PXEThief
12. Christopher Panayi, Pulling Passwords out of Configuration Manager: https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030...

These aids for further study will let you dive deeper into the attacks covered in the chapter:

• Gabriel Prud’homme, SCCM Exploitation: The First Cred Is the Deepest II: https://www.youtube.com/watch?v=W9PC9erm_pI
• Chris Thompson, SharpSCCM Demos at 2023 Black Hat USA Arsenal: https://www.youtube.com/watch?v=uyI5rgR0D-s
• Christopher Panayi, Identifying and retrieving credentials from SCCM/MECM Task Sequences: https://www.mwrcybersec.com/research_items/identifying-and-retrieving-credentials-from-sccm-mecm-task-sequences
• HTTP418InfoSec, Offensive SCCM Summary: https://http418infosec.com/offensive-sccm-summary