SCCM Exploitation: Account Compromise Via Computerized Consumer Push & AD System Discovery 


Creator: Marshall Worth, Senior Safety Guide

TL;DR: The next circumstances can result in compromise of the SCCM shopper push account and SCCM machine account. As a result of permissions these accounts maintain, this could result in SCCM web site takeover or within the case of the SCCM push account, administrative privileges over quite a few laptop objects throughout the area.

  • The power to create DNS information as a low-privilege person (default).
  • Be part of a pc to the area (10 by default).
  • SCCM deployment configured to permit connections to fall again to NTLM or lacking hotfix KB15599094.
  • Enablement of automated site-wide shopper push set up and Lively Listing system discovery.


Over the previous couple of years, an incredible quantity of analysis throughout the System Heart Configuration Supervisor (SCCM) ecosystem has been achieved, ensuing within the identification and, in the end, the remediation of a number of vulnerabilities or misconfigurations. Professionals comparable to Chris Thompson (@_Mayyhem), Matt Nelson (@enigma0x3), Duane Michael (@subat0mik), Garret Foster (@garrfoster) and lots of others have launched weblog posts and instruments which have expanded our data on this area and offered useful mechanisms to determine and remediate these vulnerabilities which have most definitely resulted in a safer surroundings for purchasers. 

Of explicit curiosity, a weblog put up by Chris Thompson, titled “Coercing NTLM Authentication from SCCM” recognized and offered a highway map in direction of abusing SCCM’s automated site-wide shopper push performance when “Enable fallback to NTLM authentication” is enabled and heartbeat discovery is in use. This weblog put up does a wonderful job detailing what data SCCM makes use of to create a Information Discovery File (DDR) which is, in flip, utilized by the SCCM web site to find out whether or not to try to put in a shopper on the host. As talked about on this put up, one property that’s checked out is the “Working System Title and Model.” That is vital and the explanation will grow to be obvious shortly.

On this weblog put up, Chris Thompson mentions different discovery strategies, particularly referencing “Lively Listing System Discovery,” however follows up by explaining that he hadn’t discovered a technique to drive automated shopper push set up by way of Lively Listing System Discovery. This sparked my curiosity and resulted in additional analysis. I’ve recognized a method to abuse this configuration to coerce the SCCM shopper push account to authenticate to an arbitrary host without having entry to any SCCM shopper nor administrative entry throughout the area.

The Journey

Leaping into this journey, my first impulse was to create a DNS document pointing in direction of my “assault machine” and a corresponding laptop account utilizing the instruments from the Impacket library and from krbrelayx toolkit. In fact, this didn’t work. A fast peek into the adsysdis log throughout the “Program Information/Microsoft Configuration Supervisor/Logs” listing reveals precisely why.

As we are able to see, the operatingSystem, operatingSystemVersion, and dNSHostName attributes usually are not configured on the pc object. Populating the dNSHostName property is definitely achieved. defaults to utilizing the SAMR technique. When this technique is used, this attribute is not going to be populated. Nevertheless, if the “-ldaps” flag is handed, this instrument will join by way of LDAPS, and this attribute might be populated. The operatingSystem and operatingSystemVersion attributes is not going to be crammed out. As talked about by Chris, the machine account creator doesn’t have write permissions to those values. I confirmed this by including these attributes to the “ucd” part of the script, however when run with a low-privileged person, I obtained an error message indicating a “constraintViolation” had taken place. Executing this with a site admin account was profitable, indicating it is a permission concern. Peering into this attribute’s properties with Lively Listing Administration Heart, reveals the account creator doesn’t maintain write privileges.

Apparently, neither SELF nor the pc account held write permissions over this attribute, both.

This turned my problem: How may I create a pc account with these values populated and a DNS document pointing to a machine I management? The reply I discovered was within the “area be part of” course of. A low-privileged area account can, by default, be part of as much as ten workstations to a site. Armed with that data and entry to a low-privileged, common area person, this turned my assault path.

The Assault Path

1. Create a DNS document for an arbitrary hostname which resolves to my assault machine.

a. That is completed first in order that if subsequent occasions lead to a dynamic DNS replace, my low-privileged person will nonetheless management

the DNS document, and I can merely modify it again utilizing that account.

$ python3 -u '<domainuser>' -p '<PASSWORD> -r <desired.fqdn> -a add -t A -d <desired_ip> <dc-ip>

2. Begin your NTLM relay or NTLM seize instrument.

a. On this demonstration, I’m utilizing Responder in analyze mode. Lively Listing System Discovery, by default, updates

each 5 minutes. As we have now no technique to determine when that is occurring, this instrument needs to be ready and prepared.

3. Be part of an actual Home windows digital machine to the area utilizing low-privileged credentials with a pc identify matching

this DNS document.

a. This digital machine may very well be tunneled or proxied by way of one other host on the community utilizing your C2 framework or

tunneling instrument of selection.

4. Authenticate to the newly joined Home windows VM utilizing the person it was joined with and delete SPNs related to this machine

account to drive fallback to NTLM.

a. On this step, we’re eradicating the HOST SPN for the machine account of the pc we joined.

b. Whereas researching this downside, I reached out to my buddy and coworker, Connor Dowling. He offered this technique of

“breaking Kerberos.” After ending my analysis, I realized this method was additionally used within the weblog put up “Push Involves

Shove: Bypassing Kerberos Authentication of SCCM Consumer Push Accounts” by Brandon Colley(@TechBrandon) of Trimarc

Safety. After following up with half one and half two of his weblog collection, I’ve realized that these blogs contact very carefully

on the method I’m discussing right here. As such, I consider this method is a continuation or clarification of labor already

achieved by Brandon.

setspn -D host/ComputerName ComputerName

setspn -D host/ComputerName.FullyQualified.Area ComputerName

Watch for AD System Discovery to determine this account and create a DDR for this inside SCCM. The ensuing shopper push ought to occur quickly after, resulting in the harvesting or seize of credentials.

c. Notice: I’m utilizing Responder in analyze mode to seize this hash with the next command:

python3 -I eth0 -Av

d. On this demo, the resultant hash is NTLMv1. My lab is presently, purposefully misconfigured in a susceptible state to

consider vulnerabilities related to NTLMv1. In different environments, it might be NTLMv2.

e. As depicted within the picture beneath, we are going to obtain authentication makes an attempt from each the shopper push account and the

SCCM machine account. The previous is greater than seemingly an area administrator over many machines in an surroundings, and

the latter could be relayed to the MSSQL database in some eventualities to have an effect on an SCCM web site takeover.

So why does this work, and what’s occurring behind the scenes?

Digging into SCCM Lively Listing System Discovery is the very best place to start out. By default, this performance will not be enabled; nevertheless, if a company elects to allow this function, its default setting is to carry out a full ballot of no matter Lively Listing path is configured each seven days. Between these full polls, it completes a “Delta discovery” replace, which is when it identifies new or lately up to date sources each 5 minutes.

Caveat – Relying on what Lively Listing LDAP “path” a company units as the place to begin for system discovery, it might not uncover the newly created laptop account. For instance, if newly joined machines are added to the “Computer systems” container however that path begins in a decrease sub-container, this delta discovery could not uncover the account.

If we look at the adsysdis log as soon as extra, we now see this system was efficiently found and a DDR created.

Investigating the ccm log throughout the “Program Information/Microsoft Configuration Supervisor/logs” listing, we are able to determine authentication makes an attempt in direction of the FQDN and the NetBIOS identify of our created laptop utilizing the SCCM shopper push and machine account.

These connection makes an attempt are utilizing NTLM as a result of this SCCM deployment is configured to permit connection fallback to NTLM. This might additionally occur if this had been an outdated set up of SCCM and the requisite hotfix was not utilized. Eradicating the SPNs related to our created laptop account ensures this may occur.

What was handed to fill the Working System and Model property inside SCCM? If we look at the pc object utilizing the PowerShell “Get-ADComputer” cmdlet offered by RSAT, we are able to determine what Lively Listing recorded versus what’s contained inside SCCM.

Wanting on the laptop properties throughout the Configuration Administration console reveals us precisely what Chris Thompson recognized in his article, which is “Microsoft Home windows NT Workstation <Model>.”

What’s the affect?

The affect of this assault is much like beforehand recognized SCCM Consumer Push NTLM relay assaults. Because the shopper push account is required to be an area administrator for any system on which shopper set up is desired, this account is commonly native administrator over quite a lot of belongings. Moreover, if the machine account is relayed this might result in web site takeover. If the prerequisite configuration inside SCCM is current, specifically, automated site-wide shopper push is enabled, Lively Listing System Discovery is enabled with default choices, and low-privileged customers can be part of ten machines to the area, an attacker may go from low-privileged credentials to controlling the SCCM shopper push account at a naked minimal inside 5-10 minutes.

How can we mitigate?

Apart from the suggestions that can apply to NTLM relaying abuse, comparable to SMB Signing configured on all belongings, Prolonged Safety for MSSQL and HTTPS, and LDAP signing/LDAPS channel binding, the suggestions beneath will assist forestall this assault method:

  • Hotfix KB15599094 – This replace needs to be put in, and “Enable connection fallback to NTLM” needs to be disabled. For brand new installations, this selection shouldn’t be enabled. This replace prevents fallback to NTLM when WMI queries are executed in the course of the shopper set up section and supersedes hotfix KB15498768 which additionally fixes a situation through which connections would fallback to NTLM when Kerberos fails no matter whether or not “Enable connection fallback to NTLM” was disabled.
  • Think about disabling automated site-wide shopper push set up.
  • Set the MS-DS-Machine-Account-Quota worth to zero for all customers besides particular accounts required to affix/create laptop accounts.
  • Make sure that the SCCM Consumer push account will not be over-privileged. This account shouldn’t be a Area Admin or throughout the built-in administrator group for computer systems that don’t want Consumer Push set up.

How can we detect?

  • Monitor authentication logs for authentication makes an attempt (success/failure) by the SCCM shopper push account in opposition to any workstation/server that shouldn’t require an SCCM shopper set up.
  • For environments that can’t instantly disable automated site-wide shopper push set up and are utilizing AD system discovery, the adsysdis and ccm log could be ingested right into a SIEM and used to create and monitor dashboards or risk hunt for brand spanking new DDR creation and subsequent authentication makes an attempt ensuing for automated shopper push.
  • Consumer push accounts are used to authenticate to companies aside from SMB.

What’s subsequent?

We’re persevering with analysis into this assault path, significantly on strategies to create a DDR with the Working System and Model property crammed. I’m personally working to higher perceive how these properties get populated inside Lively Listing when a pc is joined versus when a machine account is created by way of one thing like Impacket My analysis to this point signifies that the creator and the machine account itself should not have write permissions to those attributes, so it’s unclear how they get populated. Within the meantime, GuidePoint Safety is constant to determine SCCM misconfigurations throughout our assessments, so maintain a watch out for additional posts on this topic.

  • Impacket – Used to create a pc account inside Lively Listing.
  • krbrelayx – Used to create or modify a DNS document inside Lively Listing DNS companies.
  • sccmhunter – An enormous supply of inspiration for this analysis. sccmhunter’s potential to make use of the SCCM Administration Level’s http endpoint to register a brand new system and retrieve NAA credentials, together with Chris Thompson’s weblog on coercing NTLM authentication by way of shopper push, offered the impetus that drove my want to analysis and find out about this topic.
  • Ludus – The best technique to deploy dev/take a look at infrastructure.
  • GOAD – Recreation of Lively Listing Automated AD lab is an unbelievable useful resource for standing up a susceptible AD surroundings. This lab fashioned the bottom of my Lively Listing lab for this demonstration, which included SCCM constructed inside this surroundings.
  • SharpSCCM – That is an unbelievable instrument for figuring out and abusing SCCM misconfigurations. This instrument and the accompanying analysis are useful for any safety practitioner concerned in securing SCCM.
  • Setspn.exe – Used to interrupt Kerberos authentication by eradicating the HOST SPN from the account, forcing the fallback to NTLM.


*** This can be a Safety Bloggers Community syndicated weblog from The Guiding Level | GuidePoint Safety authored by GuidePoint Safety. Learn the unique put up at:


Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *