Misconfiguration Manager: Overlooked and Overprivileged

Configuration Manager (SCCM) attack paths have become more and more common recently. From credential abuse to site takeover, the impact of these attack paths is significant, as they often directly lead to domain compromise, else enable it. In this talk we discuss some of the most critical and common SCCM attack paths we’ve discovered and abused in the wild and how to best mitigate and manage them.

Microsoft Configuration Manager (formerly known as System Center Configuration Manager (SCCM)), a widely used tool for managing enterprise computers and software deployments, has increasingly become a target for sophisticated cyber attacks and security research. This talk explores the emerging and overlooked vulnerabilities and misconfigurations within SCCM. We delve into various attack paths, ranging from credential abuse to complete site takeovers, demonstrating their potential to directly and indirectly lead to domain compromise.

Our presentation will not only highlight some of the most critical and common SCCM attack paths we’ve identified and exploited in real-world scenarios, but also provide actionable strategies for effective mitigation and management. We aim to raise awareness about the significant security risks associated with SCCM misconfigurations and how they can be leveraged by attackers.

Furthermore, we are excited to introduce the “SCCM Attack & Defense Matrix.” This novel framework is designed to codify and streamline the understanding of attack techniques specific to SCCM, developed by both the speakers and the security community at large. It serves as a vital tool for IT professionals and security experts, enabling them to better anticipate, identify, and defend against SCCM-based attacks. This matrix is a culmination of collaborative efforts and research, setting a new standard in the field of information security for comprehensively addressing SCCM vulnerabilities.