Push comes to shove: exploring SCCM attack paths - Brandon Colley

uh thank you all for coming and as people are kind of straggling in I'm going to just pair better around a little bit um so first of all I just wanted to mention this is so this is my first um actual live speaking I did one online a while ago and I'm actually fairly new to cyber security in general so I've been in uh the community for just a very short time and so I just wanted to say to all of you out there first of all thank you for being awesome people in the community because this community is just so over sharing in a good way and and just so encouraging and part of the reason I'm up here today is because of all of the people that I've been surrounded by that are are encouraging so if any of you are like me a year ago and you're aspiring to do a speech I highly encourage you to submit for something if you think it's important somebody else is going to think it's important so just know you do have something important to say so with that I hope you think that I have something important to say um obviously you at least somewhat do because you showed up to this room so unless you're lost uh you're here to see push comes to show exploring the CCM attack paths and so did you know that SCCM is 28 years old so SCCM is actually older than active directory and I'm calling it secm but it's currently known as Microsoft endpoint configuration manager there's like a million hashtags for SCCM I've realized now um so it actually started in 20 or sorry not 20 that would not be 28 years in 1994. and in 1994 it came out as SMS or assistance management server and just for reference do you know what else happened in 1994. that was not the year I was born nice try but Justin Bieber was born that year China was first connected to the internet and this guy became a billionaire pretty much overnight but it's not a talk about 1994. and so while you might not remember where you were when Richard Nixon died which was also 1994 by the way you might remember where you were when you heard me talk about the gross vulnerabilities in secl so my name is Brandon Colley you can find me online on Twitter at Tech Brandon I already lost some audience members Chris uh I have 15 years of sysadmin experience I've been securing active directory and windows through several different uh previous jobs I'm currently a recovering SCCM administrator uh thank you one of my friends Jake for uh letting me use that joke so I say that because I actually supported secm at three separate institutions the most recent one I actually built from the ground up and implemented a lot of the poor things that you're about to see today currently over the last seven months I've worked with Trimark security and we perform active directory assessments for clients big and small we do Azure ID we do VMware we essentially do whatever the client really asks of us and possibly most importantly I am a big kid City Chiefs fan actually almost won my Jersey today maybe later tonight for the afternoon party so our agenda I assume most of you already have at least a brief understanding of secm but we're going to go through it anyway I'm going to talk about the client install and I'm also going to talk about the client push settings as well as the recommendations that are surrounding those I'm then going to talk about the vulnerabilities that are mitigated or attempted to be mitigated by some of these recommendations and then we get the fun stuff we get to do some attack demonstrations I've got three separate attack demos that I'll show you guys and I'm really excited that first time publicly this is part of a responsible disclosure for CBE that just got released earlier this week There's a knowledge base article that just came out on Tuesday I believe it was that patches some of the vulnerabilities that I'm showing you guys how to to attack right now so so either you're welcome or I'm sorry it depends on which side defense you're around I guess so we're going to talk about when push comes to show how an attacker can fully compromise active directory in multiple different ways you'll see windows and SEC behaviors that extract administrative credentials how attackers use those credentials to move laterally and then we'll also figure out how you can completely bypass all mitigations and this attack is could be used as a vehicle for not only just elevating to domain administrators incredibly quickly but could also be used for something like ransomware and so we're going to close the talk too as long as I've got enough time and I talk fast enough with some mitigations so here we go so SCCM like I said I assume most of you know secm but some of you might be lost so uh thanks for sticking around anyway SCCM is assistance management uh application that manages endpoints it's typically used to patch systems for their os's deploy applications deploy operating systems and it does much much more than that typically it requires more than one full-time employee to manage secm depending on the size of your organization secm relies on the client installation so this is a client-based application and when you first install SCCM you get to pick your poison here on which method you'd like to use to install the client on all of your endpoints and so the client installed uh client push is the one that we're going to be talking about today so why do people pick the client post right well it's very easy to do it's been around for a long time and I think most importantly it's actually listed first in the documentation and so we all CIS admins are like water and we just take the path of least resistance right so honestly though secm push accounts are fairly attractive because of the Integrations that they have with active directory so here's a screenshot of the system Discovery assistant Discovery can be mapped into your active directory so whenever new machines come online they automatically put into SCCM the second piece of that is installing a client on those machines and so here's the screenshot of the client push installation properties and then you also have to configure the accounts and so these accounts are configured because to install the application you need administrative credentials on the endpoint and so here's where you can configure your application your usernames passwords for the accounts that are going to do that installation so basically our workflow here is going to be add add new machine to The Domain that machine automatically gets injected into sacm and then SEC automatically pushes the client with one of these accounts so some of you might have seen this comment a little bit uh client push is generally not recommended by Microsoft they talk about the local administrative privileges that are required as being a major reason why they don't recommend this and so that's where the talk typically would end right there but lucky for us we're going to keep going so they offer if you must I like to capitalize and bust here if I could if you must use the client approach first of all do not put your account in domain administrators so your game over already if you've done that instead they recommend that you spread the access across multiple accounts and this limits your attack surface lastly they recommend that you enforce gerberos Mutual authentication and that is also known as this allowing fallback to the glm and we're going to talk about that a little bit more as that's essentially what we're talking about through the entire talk so the allow connection to fall back into glm setting this setting was added in 2018 version 1806 was released for SCCM and that's when this was added up until and I just learned this earlier this week up until the most recent install of secm this is unchecked by sorry this is checked by default so by default all your installs are allowing fallback to tlm the most recent version that just was released if for a brand new install does now uncheck this as the recommendation States so just to clarify what this setting actually does so Kerberos authentication is what's going to be preferred as far as just windows in general goes so communication between your clients and your servers are going to prefer Kerberos but if Kerberos fails to authenticate or it can't use Kerberos for whatever reason this setting will allow it to fall back in tln all right and so to further explain the the configuration of the vulnerable configuration I like to break it down into three pieces so the first piece is the Intel and hash of the push accounts so I don't have time to really dig into ntlm and sell them not instead all you really need to know is that it is a it's a hashed credential Kerberos is considered a better method and a more secure method and as much newer than you know the second piece of the puzzle is the heightened privileges that are granted to those climate accounts so by nature and essentially the sole purpose of those accounts are to perform installs on your endpoints and like I said earlier do not make them domain administrators even though you need administrative credentials on all of your endpoints it's it's still not a good idea at Trimark we assess this and we see still about 20 of our customers are continuing to do this and this is considered a critical issue so the last piece is the action of the secm server performing the install or kicking off the client install and what I mean by that is that the server controls when the client gets pushed to the endpoint or at least it's supposed to so if an attacker is able to somehow trigger that installation process they can put themselves in a position to where they can capture the appeal and hash of the push account and gain administrative credential on the endpoint so now we're starting to see the problem this is the problem that's actually been around for all four years so this is around the same time that the patch or not really the patched but the uh the Intel and fallback setting was created so the map uh tweeted this out back in February of 2018 and he says that if you can Elevate an endpoint uh you can gain the Intel and hash of the domain service account that's used to install an agent and then oh by the way that's a local admin on all of the employees that it manages in replies to this Matt goes on to explain a little bit about how you might be able to coerce that in the installation to occur and you can simply just uninstall the agent if you already have administrative rights on the endpoint you can leverage wmi to downgrade the version and so when secm checks back in secm is going to see that it either doesn't have a client or has an old client and it's going to attempt to reinstall so that's all great but it can take you know seven days 20 days however long it's going to take for that cycle to occur so I found a better way to do it and so in fact one I like to call this all the creds so with this attack we're going to assume that we just have a regular user credential we're assuming for each at this point we have fish the user or we found something on a password underneath a keyboard whatever just a normal domain user account we're also assuming some default configurations which by Microsoft standards means misconfigurations so by that the two that we're really going to attack is the domain joint permission and if you're not familiar with this this by default all authenticated users are able to add up to 10 machines to your domain unless this has been mitigated we're also assuming the allow fallback to ntlm is enabled with those set up we're then able to force and dealing authentication to occur I mentioned earlier that Kerberos is going to be the preferred method so if we're able to as an attacker join a computer domain we can downgrade the Authentication but and force ntlm to occur by removing the host spns of that active directory object so the other piece I want to talk about that's before we get to the hack and all the all the credits the reason I call it all the credits is because we're going to attempt to capture all of the credentials that are configured for your SEC or push account so I like to break this down by the difference between the theory and the reality of how secm does this and I blogged about this back in January but the theory is that you can set up multiple push accounts that Target only a select few computers for each account now while this is true on how you can configure it on the back end it's not how secm is set up SCCM in reality Works in a much more linear fashion and by that I mean it's going to attempt to the first account and list if that account fails to install an agent it will try next and the next in the next and so on thank you and so we can simply just remove local administrator to force all of the credentials to send and so while you might not have a single account that's a domain administrator with all of those accounts combined we are capture plan I'm going to let you guys read this real fast all right before I do the demo I'm going to do the same disclaimer use your powers for good if you don't have approval don't don't hack something please so here's your demo all right cool it's working right all right so here is going to be just our attackers machine so obviously in the lab I'm just using VMS the it's in theory could just be an attacker's virtual machine and the first thing we're going to do is join this machine to The Domain I mentioned by default we've already stolen credentials so we're going to join the Branded rocks domain hope you all agree with our domain join account this guy is just a domain user and we've now created an accountant directory for this computer and before we restart I'm going to open up a Powershell is the work so do you have to say shelter so Powershell shell is that how you said opening a Powershell shell no no it's just Powershell okay so I'm opening a Powershell and I'm running it as the domain joint account and the reason I'm doing this is because that account was used to add the computer to The Domain it's the owner on that active directory object and if you own an object you can manipulate all of its properties and so here I'm running the set SPN with a delete and I'm going to delete these host spns and the reason this prevents Kerberos from authenticating is because it breaks that communication between the client and the server so when the server is attempting to reach out and find this computer to push the agents to it it's not going to be able to authenticate with Kerberos any longer and now with a little bit of power of editing we don't have to watch my slow virtual machine reboot and this is why I didn't do it live also because it probably won't work when you do it live [Music] all right and now we're taking off the um we're disabling Windows Defender because we're about ready to use a hacking tool so we're using NBA to act as a man and middle attack or a machine in the mail which is kind of strange to say because you're actually on the same machine but what what this is going to do is it's going to capture the network traffic that's coming to the machine and since we're attempting to capture the installation on domain join or run it through this fairly quickly ideally if you are in a real attacker and you aren't trying to demonstrate things you could just script all this stuff so I also turned off the firewall I guess I should mention too and that's just mostly for preventing the lab mishaps and they're every group domain administrators from the local administrators group and now we get to launch our power shell and then we're going to load up the individual after we stop the execution policy from I'll talk a little bit more about info we're going to run that a couple more times and so I'll talk more about it later but right now what you're seeing is I'm just loading the Powershell script and then I'm running the invoking bay commandlet and I'm telling you that I want to see the console output on the screen and then I also want to capture machine account credentials and so here you can actually watch as the traffic's coming through and we and this isn't edited actually um this is just real time and then here's all of our hashes to fly through and so you saw all four separate hashes yeah we know Windows security we did that on purpose and so we can stop it and then we can run the git in Bay and we can pull all of the ntl mb2 hashes that we were captured all the unique ones and here at the bottom you can see that we got the push account one two as well as that d a and then there at the bottom is the the win SECU computer account did you say that one of those was a ntlm hashberg did we have an account um yeah it was just in my lab the way that I configured it and if and if it was then why would you need to find foreign so five minutes so five minutes is all it's going to take to pull all of the credentials for all of your configured hash account all right yeah all of the hashes for your configured push accounts sorry I messed that one up so what can you do with the hash right well you can crack it as most of us are aware so you take it offline if it's not a complex hash and if you've got a nice hacking rig it can be possibly cracked within seconds but what if you can't what if it's a much more highly complex password it's very long then you can pass that hash around in what's called an Intel and relay attack and that's what we're going to do next so in picking on the definition of a strong password we're actually going to use the computer account for this next demonstration and I picked that for two reasons the first reason is that like I had said is essentially the definition of a complex password it's 120 character password for your computer account and it rolls I think by default every 30 days but it's not just a computer account it's also the secm server account and while you think that might not be cool or anything you need to examine some of your installation and also some of the best practices that are out here so if you're using a remote SQL server for the database for secm you've had to grant that computer account access to your SQL Server database possibly the SQL Server itself if you're using a secondary site you've done the same thing you've added to your computer account as a local administrator on that secondary site server this one is potentially to be scary too and this is if you're using a systems management container in active directory you've delegated active directory rights to that computer account hopefully just on that OU but you never know if you get it out the route you just get full control right nobody does that and then this one I think is fun too um Craig wrote A Blog that argued that you could just use the computer account as the push account and just add it to the local administrators group on all of your employees and um in in case you think that these are just old articles that I found on the web just by doing Google searches they're not old but I did just search on the web for a bunch of stuff they are those last three are released within the last year and if you're an associate administrator or you're around for any period of time those two in the middle are project blocks so projectwell is essentially the authority on secm so I trust in a few blogspot foreign so you remember we dumped the hash earlier of the computer account as well as all of the configured accounts well if you actually follow Microsoft best practice and we do not allow until the fallback to occur it's going to do what we thought it was going to do it's going to prevent the Kerberos and the Intel limb authentication for all the configured push accounts so if we remove the SPN then we can't authenticate with Kerberos if we set this setting then we can't authenticate through mtlm and so none of the client mesh configured accounts are going to attempt to authenticate to that endpoint the computer account does so this is our first way that