About this Event
Abstract:
Microsoft Configuration Manager, formerly SCCM (System Center Configuration Manager), is a powerful technology that has been used to deploy software to Windows systems in the majority of enterprise environments since it was released by Microsoft in 1994. Although SCCM has a high potential for abuse due to its privileged access to entire fleets of servers and workstations, it has not been heavily researched or leveraged by security professionals until recently, presumably due to the time-consuming installation process and learning curve. In this workshop, students will be provided access to a live environment that reflects an enterprise SCCM deployment, gain an understanding of how the different components of SCCM interact, and learn how to execute recently discovered attack primitives that can be used compromise SCCM clients, servers, and entire hierarchies. By completing both guided exercises and optional CTF challenges in this lab environment, students will learn how to demonstrate the impact of attack paths involving SCCM.
- By the end of this workshop, participants will be able to:
- understand the foundational concepts needed to attack and defend SCCM
- understand SCCM defaults and configurations that can be abused
- use SCCM to complete a realistic attack chain, including recon, privilege escalation, credential gathering, site takeover, and lateral movement
- understand how to use offensive security tools to interact with SCCM, such as SCCMHunter, SharpSCCM, sccmwtf, PXEThief, and ntlmrelayx
- To get the most out of this training, participants will benefit from reviewing the following resources, although they are not required:
- Misconfiguration Manager (misconfigurationmanager.com)
- System Center Configuration Manager Current Branch Unleashed, by Kerrie Meyler
- Configuration Manager Terminology
- Looking Inside Configuration Manager
- Network Design
- Client Management
Since 2022, Chris, Duane, and Garrett have released a combined 8 blog posts and authored 3 tools (SharpSCCM, SCCMHunter, and Misconfiguration Manager) that demonstrate novel offensive techniques to abuse SCCM functionality.
Bio:
Duane Michael (@subat0mik) is a Managing Consultant at SpecterOps, where he conducts red team operations, penetration tests, research, course development, and training. Duane has instructed courses on red teaming and vulnerability research at BH USA/EU, NorthSec, and SO-CON. He has presented at Arsenal and DEF CON Demo Labs, contributes to various open source projects, and is a co-author of Misconfiguration Manager.
Chris Thompson (@_Mayyhem)
Chris Thompson (@_Mayyhem) is a Principal Consultant at SpecterOps, where he conducts red team operations, research, tool development, and training. Chris has instructed at BH USA/EU and has spoken at Arsenal and DEF CON Demo Labs. He is the primary author of SharpSCCM and co-author of Misconfiguration Manager.
Garrett Foster (@garrfoster)
Garrett Foster (@garrfoster) is a Senior Consultant at SpecterOps, where he conducts red team operations, penetration testing, research, training, and course development. Garrett has presented at WWHF and BsidesPDX. Garrett is a the primary author of SCCMHunter and a co-author of Misconfiguration Manager.
Event Venue & Nearby Stays
SpringHill Suites Las Vegas Convention Center, 2989 Paradise Road, Las Vegas, United States
USD 0.00