Up Is Down Black Is White: SCCM for Offense and Defense

Up Is Down black is white using secm for wrong and right we're going to kind of go over some of the offensive secm and defensive SCM stuff we've used in the field is it you should just F yeah I don't I don't know how computers work it's broken there we go we go okay all right all right so that's me that's my Twitter handle um I'm a penetration tester and red teamer for various group's adaptive threat division I've been there for about a year and um it's amazing um I'm an active developer on the power Empire framework so if anybody's used or heard of Empire um has anyone heard of Empire sweet right on I love offensive

Powershell um the day poell dies is the day that I go back to Indiana and start farming corn um I was a s avue while in college the the secm stuff um I actually administered suam for about a year and a half before I started the offensive stuff and I smoke spoken at Shmo um the fire talks and besides DC so this is my third con um so he getting the hang of it get the hang of it so I'm will Trader my handle harm jooy I'm a security researcher and red teamer for the same group with mat the Adaptive threat division a co-founder and kind of active offensive developer and a handful of projects so I helped found and write a

big chunk of the veil framework which I talked about 2 years ago here besid Boston some of the obus skated Pine seller stuff I wrote power viiew power up a lot of the offensive power shell tool kit that we use on our red team engagements I'm a co-founder active developer of Empire and also we recently released python Empire for OSX we're trying to combine the projects and if anyone wants to talk about anything else that's either secm or not secm after we'll go on to the hallway and we would love just to talk to anybody about anything I'm an act power sploit developer now and I was recently awarded the Microsoft po shell MVP so got to go

do some the Summits and all that spoken at a few cons and I was at bides Boston two years ago like I mentioned so love this Con it's awesome had a have a great time and cool conversations with everybody all right so a little bit about this talk um we're going to kind of go over what R teaming is versus what pentesting is and how we tend to Define it um and then kind of the difference between hunting and incident response um and how that um you know Works into secm a little bit um we're going to cover the basics of secm so what is what can it be used for um how to not administer it and

then how we typically see CCM stuff in the Enterprise and so this isn't like a here's how you should set it up and and be safe with it it's a how do we see a lot of the organizations tend to follow a pattern of how they set it up and how we're able to abuse that to to do what we want um so that's going to move us into using and abusing secm and so we're going to kind of cover um you know how to backend set up a little bit um how we can use it as an attack platform um how we're able to push out agents to um you know host inside the network how we able

to use that to hunt um you know for different users computers and and use integrated technology within the network to accomplish our goals without introducing anything foreign and then um we're going to kind of go over a little bit of using Su for good for hunting and response and and how that can be applied for detecting bad and then there'll be a demo um using it um very briefly for some offensive stuff cool so a little bit of back trying to get everyone on the same page these are you know the the the stock this is kind of like what we're talking about this is what we mean by hunting this is what how we Define red teaming

and pin testing so pin testing I'm sure as's a lot of people know like who's actually who does pin testing and red teaming for like okay there there's a chunk of people that do this so like you know there's no Universal definition of like what's a Red Team Versus what's a pentest right so for pen testing we've seen it defined as could be anything from a single person running a vulnerability scan putting their company's logo on it not that any company has ever done that or none of us have ever read the reports of that happening uh it could be a few testers for you know one or two weeks or it could be a multi-week assault you know

for with a large team over a long period of time we view we personally view pin testing as uh kind of a breath uh breath first Focus you know we're not saying that we have the right definition this is just how we interpret it so we feel like the the goal of pin testing is find as many um problems and security issues as possible in a particular environment then we kind of combin that a little bit with we try to escalate as far as we can but we're focused on trying to find a breadth of vulnerabilities for a company right so this definitely has its place and you know you have a limited time frame in general you're going to use

open source tools you're not going to use super custom malare you're not going to do whatever else because that stuff costs money and time right we view red teaming as just a little bit different and for us the definitions have started to kind of blur based on the tool sets we developed but we really kind of view red teaming as the the chance to test the instant response process for a company so uh we view it as a training opportunity for Defenders so we don't remove logs uh and ideally for us certain parts of a red team are caught and certain parts aren't we want to find the noise threshold for a company you know we don't want to say

look we you didn't detect a single thing we're super super stealthy and like look at us for super crazy awesome AP simulators or something there's El small elements of that but we're not trying to prove we're smarter than all the instant responders we want to help them get better uh so you know maybe we start stealthy and if they don't detect anything over the course of Engagement we might start dialing the noise up until they actually figure out that we are there so we can see like are you properly Imaging a box or you pulling drives or you doing memory dumps you know how does your instant response process work so but in general you try to simulate a bit more

of an advanced adversary it's usually at least like a 3we time frame for us sometimes more um yeah and sometimes we'll write custom tools uh we'll we'll develop custom tradecraft for an engagement so this secm stuff actually came about from some of the red teams so you know we didn't on a onee pin test we didn't custom roll in you know a a PO shell module that does like Advanced SCM exploitation but because we had the time and opportunity and uh the kind of latitude to do that in a red team we were able to so instant response you know kind of a similar analogy like we view like pin testing to hunt as kind of or pin to Red

teaming is kind of instant response to hunt in general instant response is you know the five alarm fire concept it's kicked off by network monitoring tools alerts uh it's very reactive by the time that you detect something happening with instant response um it's often it might be a little bit too late but you know uh it's I ideally you want to be a bit more proactive which is kind of what we mean by hunting it's a US Department of Defense concept just kind of like red teaming a lot of these Concepts came from groups that have been doing them for a long time which was basically US government agencies or more advanced advanced types of groups so it's the

blue version of the assume breach mentality which I'll talk about quickly in a second and this you know the the standard lingo for hunting is detection investigation response deny degrade disrupt manipulate so it's hunt it's going uh you're going out and looking for bad guys in your network before uh it's tripped off by an AV alert or something right assume breach is the mentality of assuming that there's already an adversary in your network so this ties into red teaming so you know we we might manipulate kind of how we um approach the engagement with the Assumption of an embedded Advanced adversary and with hunting you're like well we don't have any AV alerts or we

don't have any Sim alerts but there's probably somebody there if they're good enough so let's develop techniques to go find where they are this is one of uh my favorite quotes it's from the Microsoft Enterprise Cloud red team in white paper which if you hadn't uh if you haven't read definitely go read it it's free by Microsoft is like 40 pages but they have this great quote from Michael Hayden who's the former director of the CIA NSA saying fundamentally someone wants to get in they're getting in accept that uh but we tell clients is number one you're in the fight whether you thought you were or not and number two you're almost certainly penetrated this doesn't mean

just throw up your hands and say well there's nothing we can do let's just you know call it a day and go home it's just realizing that you're not going to stop a determined enough adversary with enough funding so now we got to talk about sec a little bit so what is sum it stands for Microsoft system center configuration manager and so in a very short synopsis it allows you to push out applications and updates um kind of like wsus a little bit where you can manage you know like flash Chrome you can manage your end points with um the centralized management Point um it's self-maintained in the sense that the clients have agents installed

um and then they are calling back to a server so it's a lot like an internal rat if you gain control of it you can essentially just use that as your commanded control without having er um and so they'll periodically check in to get new stuff um the check in times vary from client to client they can set that up in in the setup itself um the package that we made can force a device check-in so if you don't feel like waiting around forever and we'll go over all the details and yep oh one other thing to mention with the SCCM is it's not just command and control it also does kind of automatic information gathering so by

default it'll see like what are the recently launched applications where are the installed packages what are the shares and there's a lot of different options you can have to tune it to gather even more information with your existing architecture and we'll go over some of the defensive tuning components later on in the presentation y so how we typically see it in an Enterprise is that they'll have one Central server um and then they'll have distribution points and so they all the stuff gets replicated out to the distribution points which can be widespread throughout the country um they're supposed to kind of have it set up so that um you know there are service accounts that run you know to push

updates so that when secm pushes out clients to host that has to have local admin to install it and so they the way we see it most is they've got a domain admin service account that is installing and pushing this stuff out um and so as far as the applications go um typically they're hosted up on an open share so that you know the endpoints can reach out and grab the packages one thing that I've seen the most of his admins and the shares will leave install notes install scripts that have credentials in them nine times out of 10 for the service account that's a domain admin that's running on thec box um so that admins

are going to admin what makes fun of me for saying that but it never fails everybody always somewhere leaves something on a share that um allows us to kind of abuse secm and the important thing to to note about this is that this isn't uh here's how you go PM it's how once you have access to it how can you use it to to further you know operating the network yeah this is a post exploitation concept uh in this presentation on the offensive side so we're not exploiting fcm if it's set up correctly there's not really anything you can do to attack it but that's very very rarely set up 100% correctly typically they're managed via controlled

groups um and so you get access to a user that's part of that controlled group who's not a domain admin but can administer secm and you can use that to Pivot your way up did I skip this no that's so that's kind of what the architecture looks like in a very high level so you've got your primary site server and then you've got your distribution points and then um you know you've got different domains and your clients are reaching out to whatever distribution points closest to them and then it's all replicated so secm has two kind of backend components there's a SQL database which stores a lot of information and um a wmi backend which

also stores a lot of information um it's important to note that the stuff you see in the console um for SCM is not even a fraction of the amount of information actually collects so digging through the backend wmi and and classes in the SQL database it's mind-blowing the amount of information actually gathers um so the way that power SCM works is we're able to manipulate the SQL database and wmi classes directly to the backend without going through the front end interface and so we're able to hide a lot of things from the actual um you know front end that admins are going to see when they log in and a key here is there's two ways to interface with it uh

the SQL interface tends to be better for defense cuz you can get a lot of these link tables and a lot a lot more like detail contextual information but it's very difficult to modify it so you have all these store procedures and everything's linked and whatever else so it's it was difficult for us to figure out how do we create a malicious package and push it out through pure SQL but wmi is a lot simpler you don't have as much information because you can't do the equivalent of Link tables but it makes it much easier to manipulate and create components so we use we recommend SQL the SQL approach and the SQL interface for defense and wmi for offense and

we'll show a query or the difference between the two for a simple pulling the same information and what they look like here in a bit so SQL um it's just a normal you know SQL backend there's nothing crazy about it I'm not a SQL Dev so I don't do SQL stuff so I see SQL and like oh my God it's ugly away um it's great for as well was saying it's great for gathering information so it it collects a lot of lot of really juicy information that that might not be stored in wmi um the issue of SQL is to be able to pull all that information directly you have to have a relatively decent background or

in-depth knowledge of the database itself and how all the tables and stuff work out and that's because this is what the schema looks like it's not properly documented uh it's kind of documented by Microsoft not 100% so I spent about 4 days straight trying to parse through every single one of these tables and then the same bit of information of saying show me installed applications it's in like four different places and there's a view then there's one with some information not other information some of it links to the client some of it doesn't some of as randomized SIDS so I if anyone's a SQL admin or a dbaa I don't envy your job because this was not

fun trying to like basic reverse engineer how the schema is actually set up and how everything is linked and then each one of these tables and each field and all these views are kind of essentially mapped to equivalent WM classes in the back end but again that's not documented so we we did our best with power SCCM to abstract away a lot of this complexity so you don't have to memorize all these queries exactly where it's going but it uh it's not complete I guess is the point so we're because we're not SQL experts we did our best but uh no guarantees so I'm not going to go through all these but this is a small

example of some of the really interesting tables you know know show me the current processes you know view GS current of course that makes sense I have no idea about the naming scheme or historical processes HS doesn't actually stand for historical it stands for something else and in certain Fields these are switched and GS has historical and HS has non-historical so whatever but you can do tons of stuff like browser helper objects software files drivers uh open shares currently logged on users there's a huge amount of stuff that if you tune up the collection component you can get some awesome stuff that you can either manually search for on the defensive side of power CCM or

throw it into something like Splunk and we'll have a slide on kind of configuring hooking all that stuff up for your sim but tons and tons of stuff uh I think the browser helper objects kind of kind of blew my mind Auto starts you could find a lot of really basic persistence and things like that then wmi um you know it uses wql the um Whi career language um so you can interact with this really easily with po shell via the get wmi object which is how we end up doing it on the back end um like we were saying earlier wmi it's so much easier to update you it's just a oneline Thing versus like spending three

and a half hours crafting a SQL query um the the neat thing about wmi is that you can if you match up all the properties you can just throw it at the classes and it'll update the stuff in the back end so some of like an application package requires a non-trivial XML schema to actually describe everything thing so instead of having to figure out how to link that in the database we can just push that out to one Wy class property and then the back end takes care of everything and does all the awesome stuff for us that's not super documented either so I had to push out applications and then pull the XML and figure out what was required and

what yeah Weir Microsoft doesn't have a msdn about here's how you create a hidden malicious package that doesn't touch this us an I don't know why they didn't do that so that's kind of what it looks like um this is 3w exp4 if anybody use that it's an amazing resource to to browse the VMI pretty quickly under the SMS name space everything's under the root SMS and then the sitecore and then the site code that's operating out of and then there's just an incredible amount of different classes that you can that you can interact with yep so he's while I was spending four days looking through the SQL schema he spent about 4 days looking through the wmi schema to

try to find equivalent stuff and the naming the naming scheme for the classes versus SQL that's equally is frustrating because none none of the names make sense and so you're like oh this seems like maybe this is something I need and it turns out to be something completely different so this is the difference this is to get all applications um wmi that's a query and then that's what we' use for SQL um so a lot of the functions in PCM uh will wrap a super long SQL query with all the arguments and everything abstracted up so you don't have to worry about it but if you want to throw into like a custom Sim ingester or something

like that you can just pull the raw query straight out of the power SCCM package and do it manually if you would like yeah and this really this really shines in where you have a lot more you can get much more granular with SQL in the sense that you can do all of this you can craft really detailed specific queries versus wmi you're kind of you're kind of limited into what the classes or properties are actually available to you um which is what makes seel a lot nicer for hunt and all that good stuff cool get on time so that that's enough of us complaining about how yes go ahead you mentioned that wmi can be

used is that an assumption that requires as a inm open yeah I mean it's so the question was you know are what assumptions are you making as far as the open ports and different things like that so it's it's standard Windows functionality is the same port that wmi uses for remote SQL connections is the same port that you know SQL uses and it's hard to block because when the client check in that stuff's getting updated yeah so in general the the ports and everything tend to be relatively open on the secm servers themselves because it's you know if they try to lock down everything you know it probably introduces issues when they're using it in production so more

often than not they'll like drop a lot of the firewall rules and make it relatively open so enough of us complaining about how terrible scheme is and that's super exciting we're going to go over the power SCCM package which is a proper Powershell module that we published for this stuff it's not on the Powershell Gallery it's on we'll have Links at the end it's on the the PO shell Mafia group repo that has like power sploit power CCM and a bunch of the cool proper packages we've been developing so background uh along with you know if you're trying to abuse SCCM properly in the field along with needing uh uh knowledge about the wmi scheme and

the SQL scheme and everything else you have to have a pretty detailed knowledge about secm so we wanted to abstract away a lot of that complexity and bring a lot of this functionality to people on engagement and the often and defensive side to use it without having to be experts in this stuff so there's not a lot of public information on a using secm the only presentation we're aware of was Dave Kenny and Dave and Dave Des Simone's uh Defcon 20 only1 to rule the mall presentation it's it's super cool definitely go check it out and I think this functional is actually actually introduced into the social engineering toolkit so you can push some stuff out

that will like patch some existing SEC and packages and push out agents to a large number of machines it was great this is a few years ago we saw this we're kind of inspired and we wanted to take this to the next level instead of saying Mass Ownage how about we hunt for exactly where certain people are and create targeted collections in a very hidden kind of more like red teamy type way so basic usage for the package you import your Powershell module and we have a s a session based model in seccm so very similar to sim sessions and like Windows remoting sessions we have uh like new secm session which you can specify W Meer SQL it registers it saves

it off as as an object with all the configurations and then you pass those objects on the Powershell pipeline to um any of the quering or abuse type functionality that you need so you know get SCM session you know get SCM application so if you're not used to Powershell this is a bit weird but we were trying to do it like properly Powers Shelly because my boss being Matt Graber manifestation he said that I actually have to write proper Powershell now instead of just writing scripts so yeah uh removing remove satm session will kill the session and one thing that didn't mention before is if you're trying to determine where these site servers are and all these site codes are

we have functionality that'll let you do that as well too so if you land on a local machine you can use find local secm info and it'll return all the configuration stuff all the site codes if you know where the seccm server is we have interfaces that will let you enumerate all the sites and distribution points remotely so uh pretty much anything we could think of for uh normal functionality how we would use it we tried to build command lists that would automate this question yes what permissions are required what perm are required well yeah he'll go over that just a little bit in the the attex side but you need you know administrative access on the secm server right so again

like he had said that ideally in a perfect world there's no way you could do that but there's you don't need domain admin to actually administer an secm server which a lot of people think yes can you do that from box the main issues credentials uh can you use it on a box it's not a domain I we integrated credential objects um external credential objects into this project we didn't do extensive testing as far as like a non-domain join machine we typically just used it on a a regular domain join machine for the most part like you fish your initial user but with additional credential objects you don't have to have you know a DA context

running in order to interact with it you can pass the credential object so as an example you know import power SCCM new SCCM session you know doing the computer name for the secm site server whatever the site code is and in this particular instance we're going to use SQL this will connect off off um save everything up you see all the particular SQL permissions site codes connections blah blah blah all that kind of stuff this is how you would actually use it just like in that previous Slide the example I showed this is what the output will look like you'll get a ton ton ton of stuff these are all proper Powershell objects so if you're used to like

filtering in the pipeline and all that it should work correctly uh what was this SE Services yeah so on that particular machine that particular IP address it'll list all the running Services right nothing too crazy but you can start to do some cool stuff with it at the end so using sum as an attch platform this is the cool stuff defense is lame whatever I had to do that but offense offense is the cool stuff so in our red teams we tend to stay towards or operate more towards using admin tools against them so we're unauthorized domain admins is the way that we see it is we just go in and administer stuff for them

um so the nice thing about s is it already exists so you're not introducing anything anything new into the environment minus maybe your EG Point um so traffic is completely normal um a lot of people don't think of looking at a forensic or hunt or incident response level of hey maybe something happened in secm like we should go look at this and something that's uh not a Sol problem that we know of publicly you know if attackers are abusing SCCM how do you do forensics on the SCCM server itself in the database and how can you detect these packages this does leave a lot of artifacts in there so that'd be something for someone to look into I

think very interesting yep and there have been rumors of some actors actually using SCM to mass deploy um NBR wipers after they're done in the there was a actually a crime War gang in the news a couple months ago they use SCCM to push out crypto Locker for an entire domain so instead of one machine it's like oh look we found this yeah everything's crypto Locker so looking normal greatly reduces your chances of actually getting caught which is what we're relatively confident in um yep yep so this goes to the permission question attacking sec. da when we initially introduce the concept we got a lot of push back of like oh well if you have da it's already over type of thing

um that's why we like to stress that this is a very there this is very much of a post exploitation thing and not an initial Vector thing um and so the way that you're supposed to set it up is you don't run everything as da you know um delegate your groups out only give access to what's needed um so people will have SCM admins and so using something like power viiew you can go and hunt for SCM admins you know find a way to get it once you actually get their credentials or access or whatever um you might not have access to the entire network but you can use that to Pivot throughout the network in a

different way than what might be normal um to to get to your crown Jews or your your other elevated accounts um yep yep so as I mentioned earlier getting a group you can kind of hunt for some of the groups that have SC men them this will give you a good ideas of or a good idea of what users you want to go hunt and that first step is you know figuring out what's the naming scheme this kind of goes it blends with the offensive actor directory stuff so we're not going to go heavily into that cuz those are that's a huge other like you know bit of knowledge but we're happy to talk about

it later but identify who want to who you want to go after start grouping them and then and if you haven't seen Will's talk in tuers 2016 about power viiew go check it out so using SC for code execution um so like I said me like I mentioned earlier um the clients check in to the server if there's a new application or package and it'll download it and execute it um and so what this means is that if we can gain access so that we can host a binary payload on a share or we can create some sort of malicious deployment or application um and when the code the way that we set Power sum up is um it

actually it's all using po shell so there's no you know new binaries or any of that stuff so normally you would RDP into the guey right so you compromise an SEC madmin or the server itself and then just RDP in and use the exact same SCCM admin functionality that that admins would otherwise and we got tired of doing that so uh H the remote package yep and then it runs a system so that's nice that's always fun so using free evil these are kind of the offensive commandlets um we kind of we went over them a little bit the new um and we'll go over the whole process of grouping the users pushing the applications

linking everything together so this is more for reference we'll tweet out these slides right after the presentation so we're not going to like detail every single command that would be super exciting so hunting for users you know you can do that with powerview already the nice thing about SCM is it logs and collects where users are logged in um you know what time they logged in what boxes they're logged in on and so you can actually use that to to pull out targets and so um you can use get SC computer if you know a little bit about Powershell I plan on fixing this um so you can just pass a username but right now you can just pull out the last log

on username and um if it's equals whatever you're looking for it'll return the Target and you can um you know go about what you want to do with it and there's also the get S console usage so s collects data in different ways um and so sometimes the last log on username can be finicky it might not be yeah so that's more like the windows session kind of component and this is going to be logging the actual command line uh execution so yeah occasionally it's not 100% accurate and sometimes SCCM misses information in certain ways so it's just two different ways to get to the same OB console usage is enabled by default and that that's been the most

accurate from what I've seen I it almost instant tells you who's logged in and when they logged in so this is kind of what hunting for users look like just give it a username and it's like here are your targets so that's kind of the first step or step. five is figuring out where are the groups and everything else you want to Target uh then the regular first step is okay uh who like where are my actual Target users logged in where is the instant response staff logged in like what's the group that I'm going after and this is kind of step two y so after you have your targets um what you would do next is throw them in a collection

it's what SCM calls a collection of you have all of the the devices or user objects that you want to push an application out to and so you can get really granular with like these computers only get a certain application and um so that allows you to create collections for your targets so you just gather up all your targets throw in a collection and then you're only pushing out your code to those specific targets um instead of like the whole entire Enterprise like we said just trying to take that to the next level instead of it'd be easy enough to push an application out to every single machine but we're to us that's not the

best trade craft always on on a red team and also we're lazy we don't want to have to clean up everything and say I'm managing you know a, agents coming back and get a little bit tricky and then Empire will crash and everything cuz uh whatever so so mass ponage is bad Target control ponage is good um also it makes for you know logging you only have a handful of targets you have to keep track of so this is how you would group um your targets using power SCM um you can just do a new SCM collection and give it a name and then a collection type and so you have two collection types you have users and devices and so

I haven't seen people set up SC see them to actually like have user objects or user groups I've always seen it just devices um some ORS might use users the functionality is there if you want to create a user collection so instead of pushing it out to just these host names you can push it out to these users and whatever workstations associated with that user is the one that will get it but all that crazy dumi stuff in the back end just super easy all the tab completable commandlet so you don't have to worry about all the Cru in the back yep and once you create the collection it create it empty and then you can use

the add s device to collection to actually add the computer name or targets that you want to to that collection and so you start adding them up and then once everything's in the group then you're able to um to just push it out this is the coolest part I think so this took a really long time for me to figure out and will was like I have no idea how you figure this out this makes no sense and I still like I have no idea how I figure this out this makes no sense um so you can create a malicious application directly via wmi um which there's a there's an is hidden property that you can set this is the

part that blows our mind so normally when you create an application right in the gooey it shows up right there's a hidden field you just said is hidden and it doesn't show up and it doesn't hide which I can't think of a legitimate reason that to exist like why would you want to hideen Applications but I mean so when we create the malicious application with malicious logic if a regular secm admin pulls up the regular guey they don't see any of the malicious logic and is talking about trying to do forensics and stuff on this I think would be really interesting yeah so we just um you know in the back end uses wmi then it takes a giant XML blob and

just patches in you know the code that we want to push and it shoves it up into the wmi class and it's it's there hidden and nobody can see it and so you can do this with USM application um you just pass it a name and then there are a few options there's you can push out binary packages our our preference is obviously Powershell so like Empire like outputs Bas 64 um so you can just throw in um you know basic C4 blob and it'll run um you know power shell TC and it'll run the code and so you're not interested seeing any additional binaries to the system or any of that and one other kind of cool thing

we ran into is normally with SCCM there's when you're launching the application there's a length limit on what you're actually allowed to run right so normal functionality is take an MSI and Exe on a on a share and then have a launchy command that reaches back we wanted to do Powershell without touching disc but the Empire stagers are too long to run it in one swoop so we stuff all that logic into a custom Wy class on the SCCM server we mess with the ACL so any user on the domain could read that wmi class so and then we push that out with the launcher the client will run the command read all the reach

back read all the data from the Wy class that that's opened up uh run it uh once they fetch the payload then we clean everything up after so there's no evidence left as far as the logic so this lets us run arbitrarily long Powershell script without it's without touching dis it's in a WM schema component in the back end so it's technically on dis but it's not a traditional file that's on disc and the client's reaching out when it when the code executes and it it it's reaching out back to the SCM server so that's not entirely odd to see from this doesn't look too weird and that's what it looks like um it gives you some the verbose output for

the the actual like command lights aren't that great which I plan on fixing as well but you can see the the launch CMD is what will actually execute on the system when application pushed out you see you know B 64 to code this stuff and you see this is the custom de my class reaching back to the server and pulling out and it pulls it from the prop value or the prop

yep um W they would see the wmi traffic coming back um that's might not be super typical for traditional seccm like execution but everything else is I forget what protocol it is but it's you know the the normal secm like reach back pulling type stuff so it's not going to look weird uh I don't think so prob we should probably we have to dive in a bit more sorry the hidden applic show up or youer uh yes so when you query through wmi or SQL in the schema backend the hidden application will show up uh they just don't show up in the gooey so you can take this and back and if you have and run it and see if there are any

hidden applications because it should we don't really know of there's a couple projects out there that were kind of similar from just an admin standpoint of interacting with the SCCM remotely we don't know of anyone that uses them um so every single time we' seen a deployed people just use the Y cool so after the application's created you can then just push it out um and so you know like I said earlier we have our targets into a group and then you can just do a new new SCCM application deployment and just pass it the name and then the target you creating the group of users creating the malicious application and this is what binds it together to actually deploy it

to that collection so there are three or four steps in actually getting it all out and you have a lot of control through each step of making sure you're not touching a Target you don't in on touching and then this this is kind of cool I'm still kind of working through the research of like how this exactly Works um but there's a function called invoke scam device check-in that will execute a meth a wmi method on the back end of the scam server that will force members of a collection to check in so instead of waiting 3 hours for these clients to check in depending on you know how the this the company has their stuff set up

you can trigger this and most of the time it will force depending on the check-in schedule will force the actual collection members to check in so you don't have to like just sit around so kind of has a lightweight heartbeat that it does pretty frequently and then every few hours whereever the deployment cycle is actually says okay give me any applications they going to be pushed down so he just closes the window on that initial little heartbeat it forces them to pull down whatever new application deployments are are scheduled yeah so up here periodically check in and then if there's a new application or package that's available to be deployed he'll pull it down um a little bit to the demo cool so

unfortunately going to have to kind of cruise through the uh the defense stuff a bit because we want to make sure we can actually show a video demo ofit time socm is a defensive solution just like we hide in the noise for red teaming if you're a Defender and you don't want to tip your hand to any like Advanced adversaries out there you also like to hide in normal functionality so there are attackers that are sophisticated enough to where they just see you know some kind of defensive uh Imaging product or IR thing spin up on a machine they can actually you know change their action shut agents down so you don't again you don't want to tip

your hand there's a lot of uh really cool kind of previous defensive work actually with secm there's uh using and violate best practices using like IR so these links will work in the slide deck on they put up on the slide share so a lot of good stuff a lot of the defense was drawn off of this existing work there's a presentation a few years ago want the stand Summits again just using actually using SCCM for instant responsible def which is kind of a cool concept so I'll go over to tuning in some of the command LS by default stcm will collect a large amount of a good chunk of interesting information but like I mentioned before there's a lot of

stuff you can tune it up to get even more things so if you want to have auto start software browser helper objects drivers and all that you have to enable this manually in your secc deployment luckily you're not installing new software you're changing a couple settings that it just tells the SCC agent to grab more information from each host when it checks checks back in pretty easy to do just find settings you know Hardware inventory and then enable you know another chunk of classes uh part of this is just for reference that people actually want to use this afterwards this was you know a couple days we went through saying what would actually be interesting and useful

stuff also you want to make sure that software metering is enabled sometimes it is sometimes it isn't this gives you like a lot more of the recently launched applications and historical stuff which is one of the more useful components for catching bad guys like uh command line logging right without having to uh set it up on the host do windows and vent foring and all that kind of stuff this will pretty much already do it for you so more more kind of reference to make sure you have that enabled and the last part for tuning would be software inventory if you want to you can have secm inventory every instance of a file of a particular

pattern on the host it won't give you mv5 but it'll give you like Publishers like authors uh the names arguments all cool kind of stuff so we like to recommend saying inventory every single exec beable on every single host in the environment pull that all back and you can find some very interesting stuff a lot of commodity stuff but also some you know malicious real like type things and defensive command LS you know again as reference you can process histories recently used applications drivers are pretty cool or uh more stuff or oh these are some of the the cooler kind of meta functions so uh some post exploitation tools like mic cats will have you know Benjamin Del gent peewi his

name will be in like the publisher information so if the Packers change the name of the app most of them they don't really know what they're doing aren't going to actually go through and properly vet the exe that they're using so some of these Commandments will find all instances of mimic cats in your environment uh if it's on dis right so again it's not a silver bullet it's not going to catch it both MIM cats memorate but you can start to build more interesting detection capabilities by by correlating some of the publisher like not link I forget there's there's a couple of other fields that tend to link some of these hacking tools together and last cool thing with

defense is you can actually hook up the SCCM SQL database into ingestor for your normal Sim solution so this blog post that I had CED in the references uh walks you through how to link up SCCM to feed directly into swamp so you don't even have to use power SCCM or whatever else but you can just ingest all of this information from the SQL back end directly in and start doing uh heuristics and analytics and build your own custom fies so this for a lot of people if you have a SIM solution this is probably the best approach for defense or it's the least overhead and it's literally just connecting up a consumer and then you get a huge new

data set that you can pull in I think it's more for us it's trying to change the perspective of Defenders of like yes you have this huge amount of data why not use that for IR because it's not going to cool now we're going

so sorry text is a little small mt's going to talk this so the way this is set up through you know an agent we have stocks Environ find local info loal use that to create new session and you can use session check make yeah this is all stored in like the back in session but then you pipe to whatever commanding you want you can have multiple sessions going so you know if you have multiple site servers multiple sites you want to be more

granular so we're hunting for a user and that returns Returns the workstation name that they're um you know logged into and we can use that for targeting um and then next year would move is actually creating a collection and then adding that that device to the collection um I would be cautious of what you name it because the collections do show up and so you name it like Target Sol well or yeah red team targets or something so we we looked there's not an is field for the collections unfortunately I Wasing do you have to create colle yes yeah so you do the question is do you have to create a collection um yeah so it's fundamentally

in the architecture you have to have that this is just validating that it was created by using Gess collection which Returns the collections that are frequently created so that's always nice to just validate those actually created for safety sake and then you can move into actually adding the device to the collection um and I hope that one point make it so you can add multiple of them at once but right now I only men setup you can do one at a time um you just B The Collection name and then that will actually add it into the collection and then like I said like the output itself isn't super remot and be like hey it works like if it doesn't if

red text is a comment everywhere it probably works that's kind of air checking um and then you can move into creating the application itself now that we actually have the device that we want to Target and the collection that we want to um have that device to and then um here we're going to be using a an Empire payload so I've already generated it you'll just take the the actual b64 pop and it's Unicode so if you do use this make sure that you use the b64 unic code there are few different options you might have to a little bit and then that will return the actual one ler that the the package of the application will

actually execute on the system too so that in one swoop that created the application stump all that logic in the custom W class opened up information then we can actually do the deployment um so you're just specifying the application name what collection you want to push it to and again we're not you don't we're not on the server itself station with rights but doing it all where is it the flag uh it's implicitly s and you can unhide it if you want by Def you going V the check in so it'll return the application name when it's successfully created and then you can um specify the The Collection that you want to force a check in and then it will

execute that be my method and then after a few seconds you should get an age of that this is kind of Hit the actual boking the check in missile cries I think it's something do the schedule beats on soing a little bit but by theault PM runs Cod a system um you can go and change it if you want but system's awesome so I don't know why you would um you can just see it's running as power shell because that's actual process it sorted as to reach out the wmi class actually grab it there's a clean up function I I intend to group these into like everything right now they're separate and so you're going to remove the actual

application you have to do this in a specific order because things are linked together so it's start of top by actually deleting the appointment once that appointment is deleted you have to delete the collection we have we have a couple blog posts about this if you search forcm I did a series on like blue he did Red and he stepped through all of this in the exact proces you need to do clean up just clean up lines um there's no like successes move like I said like if it vomit red it broke I need to add in some like proper for both outfit I guess this is all thrown together so yeah so now it's done it's removed there's not

any direct evidence any just Happ able to

compromise yep that's pretty much it for um I think we still have oh co yeah good time we probably have just a minute or two for questions yes can you setm to alert when some l in do that does it track that so connect um the question is can you set it up to do a learning when particular people log in um I mean you might be able to do like the console but as far as doing a direct connection out to like backend like wmi I don't I don't think top of my head there's anything for that it's more of like an information like Reach Out query model it's not as much of a I don't think s can push a down

connecting to the the backend directly is kind of it's not secret documented and it's kind of a a creative way of getting own itself so there AR a lot of it's just relying on permissions at the end of the day that's going to be that any other questions cool well thank you guys