Push comes to shove: exploring SCCM attack paths - Brandon Colley

uh thank you all for coming and as people are kind of straggling in I'm going to just pair better around a little bit um so first of all I just wanted to mention this is so this is my first um actual live speaking I did one online a while ago

and I'm actually fairly new to cyber security in general so I've been in uh the community for just a very short time and so I just wanted to say to all of you out there first of all thank you for being awesome people in the community because this community is just so over sharing in a good way and and just so encouraging and part of the reason I'm up here today is because of all of the people that I've been surrounded by that are are encouraging so if any of you are like me a year ago and you're aspiring to do a speech I highly encourage you to submit for something if you think it's

important somebody else is going to think it's important so just know you do have something important to say so with that I hope you think that I have something important to say um obviously you at least somewhat do because you showed up to this room so unless you're lost uh you're here to see push comes to show exploring the CCM attack paths and so did you know that SCCM is 28 years old so SCCM is actually older than active directory and I'm calling it secm but it's currently known as Microsoft endpoint configuration manager there's like a million hashtags for SCCM I've realized now um so it actually started in 20 or sorry not 20 that would not be 28 years in

1994. and in 1994 it came out as SMS or assistance management server and just for reference do you know what else happened in 1994. that was not the year I was born nice try but Justin Bieber was born that year China was first connected to the internet and this guy became a billionaire pretty much overnight but it's not a talk about 1994. and so while you might not remember where you were when Richard Nixon died which was also 1994 by the way you might remember where you were when you heard me talk about the gross vulnerabilities in secl

so my name is Brandon Colley you can find me online on Twitter at Tech Brandon I already lost some audience members Chris uh I have 15 years of sysadmin experience I've been securing active directory and windows through several different uh previous jobs I'm currently a recovering SCCM administrator uh thank you one of my friends Jake for uh letting me use that joke so I say that because I actually supported secm at three separate institutions the most recent one I actually built from the ground up and implemented a lot of the poor things that you're about to see today currently over the last seven months I've worked with Trimark security and we perform active directory assessments for

clients big and small we do Azure ID we do VMware we essentially do whatever the client really asks of us and possibly most importantly I am a big kid City Chiefs fan actually almost won my Jersey today maybe later tonight for the afternoon party so our agenda I assume most of you already have at least a brief understanding of secm but we're going to go through it anyway I'm going to talk about the client install and I'm also going to talk about the client push settings as well as the recommendations that are surrounding those I'm then going to talk about the vulnerabilities that are mitigated or attempted to be mitigated by some of these recommendations

and then we get the fun stuff we get to do some attack demonstrations I've got three separate attack demos that I'll show you guys and I'm really excited that first time publicly this is part of a responsible disclosure for CBE that just got released earlier this week There's a knowledge base article that just came out on Tuesday I believe it was that patches some of the vulnerabilities that I'm showing you guys how to to attack right now so so either you're welcome or I'm sorry it depends on which side defense you're around I guess so we're going to talk about when push comes to show how an attacker can fully compromise active directory in multiple

different ways you'll see windows and SEC behaviors that extract administrative credentials how attackers use those credentials to move laterally and then we'll also figure out how you can completely bypass all mitigations and this attack is could be used as a vehicle for not only just elevating to domain administrators incredibly quickly but could also be used for something like ransomware and so we're going to close the talk too as long as I've got enough time and I talk fast enough with some mitigations so here we go so SCCM like I said I assume most of you know secm but some of you might be lost so uh thanks for sticking around anyway SCCM is assistance management uh

application that manages endpoints it's typically used to patch systems for their os's deploy applications deploy operating systems and it does much much more than that typically it requires more than one full-time employee to manage secm depending on the size of your organization secm relies on the client installation so this is a client-based application and when you first install SCCM you get to pick your poison here on which method you'd like to use to install the client on all of your endpoints and so the client installed uh client push is the one that we're going to be talking about today so why do people pick the client post right well it's very easy to do it's been around

for a long time and I think most importantly it's actually listed first in the documentation and so we all CIS admins are like water and we just take the path of least resistance right so honestly though secm push accounts are fairly attractive because of the Integrations that they have with active directory so here's a screenshot of the system Discovery assistant Discovery can be mapped into your active directory so whenever new machines come online they automatically put into SCCM the second piece of that is installing a client on those machines and so here's the screenshot of the client push installation properties and then you also have to configure the accounts and so these accounts are configured because

to install the application you need administrative credentials on the endpoint and so here's where you can configure your application your usernames passwords for the accounts that are going to do that installation so basically our workflow here is going to be add add new machine to The Domain that machine automatically gets injected into sacm and then SEC automatically pushes the client with one of these accounts so some of you might have seen this comment a little bit uh client push is generally not recommended by Microsoft they talk about the local administrative privileges that are required as being a major reason why they don't recommend this and so that's where the talk typically would end right there but lucky for us

we're going to keep going so they offer if you must I like to capitalize and bust here if I could if you must use the client approach first of all do not put your account in domain administrators so your game over already if you've done that instead they recommend that you spread the access across multiple accounts and this limits your attack surface lastly they recommend that you enforce gerberos Mutual authentication and that is also known as this allowing fallback to the glm and we're going to talk about that a little bit more as that's essentially what we're talking about through the entire talk so the allow connection to fall back into glm setting this setting was added in 2018

version 1806 was released for SCCM and that's when this was added up until and I just learned this earlier this week up until the most recent install of secm this is unchecked by sorry this is checked by default so by default all your installs are allowing fallback to tlm the most recent version that just was released if for a brand new install does now uncheck this as the recommendation States so just to clarify what this setting actually does so Kerberos authentication is what's going to be preferred as far as just windows in general goes so communication between your clients and your servers are going to prefer Kerberos but if Kerberos fails to authenticate or it can't use Kerberos

for whatever reason this setting will allow it to fall back in tln

all right and so to further explain the the configuration of the vulnerable configuration I like to break it down into three pieces so the first piece is the Intel and hash of the push accounts so I don't have time to really dig into ntlm and sell them not instead all you really need to know is that it is a it's a hashed credential Kerberos is considered a better method and a more secure method and as much newer than you know the second piece of the puzzle is the heightened privileges that are granted to those climate accounts so by nature and essentially the sole purpose of those accounts are to perform installs on your endpoints and like I said

earlier do not make them domain administrators even though you need administrative credentials on all of your endpoints it's it's still not a good idea at Trimark we assess this and we see still about 20 of our customers are continuing to do this and this is considered a critical issue so the last piece is the action of the secm server performing the install or kicking off the client install and what I mean by that is that the server controls when the client gets pushed to the endpoint or at least it's supposed to so if an attacker is able to somehow trigger that installation process they can put themselves in a position to where they can capture the appeal and hash of the

push account and gain administrative credential on the endpoint so now we're starting to see the problem

this is the problem that's actually been around for all four years so this is around the same time that the patch or not really the patched but the uh the Intel and fallback setting was created so the map uh tweeted this out back in February of 2018 and he says that if you can Elevate an endpoint uh you can gain the Intel and hash of the domain service account that's used to install an agent and then oh by the way that's a local admin on all of the employees that it manages in replies to this Matt goes on to explain a little bit about how you might be able to coerce that in the installation to occur and you can simply

just uninstall the agent if you already have administrative rights on the endpoint you can leverage wmi to downgrade the version and so when secm checks back in secm is going to see that it either doesn't have a client or has an old client and it's going to attempt to reinstall so that's all great but it can take you know seven days 20 days however long it's going to take for that cycle to occur so I found a better way to do it and so in fact one I like to call this all the creds so with this attack we're going to assume that we just have a regular user credential we're assuming for each at

this point we have fish the user or we found something on a password underneath a keyboard whatever just a normal domain user account we're also assuming some default configurations which by Microsoft standards means misconfigurations so by that the two that we're really going to attack is the domain joint permission and if you're not familiar with this this by default all authenticated users are able to add up to 10 machines to your domain unless this has been mitigated we're also assuming the allow fallback to ntlm is enabled with those set up we're then able to force and dealing authentication to occur I mentioned earlier that Kerberos is going to be the preferred method so if we're able to as an attacker join a

computer domain we can downgrade the Authentication but and force ntlm to occur by removing the host spns of that active directory object

so the other piece I want to talk about that's before we get to the hack and all the all the credits the reason I call it all the credits is because we're going to attempt to capture all of the credentials that are configured for your SEC or push account so I like to break this down by the difference between the theory and the reality of how secm does this and I blogged about this back in January but the theory is that you can set up multiple push accounts that Target only a select few computers for each account now while this is true on how you can configure it on the back end it's not how secm is set up SCCM in reality Works

in a much more linear fashion and by that I mean it's going to attempt to the first account and list if that account fails to install an agent it will try next and the next in the next and so on thank you and so we can simply just remove local administrator to force all of the credentials to send and so while you might not have a single account that's a domain administrator with all of those accounts combined we are capture plan I'm going to let you guys read this real fast all right before I do the demo I'm going to do the same disclaimer use your powers for good if you don't have approval don't don't hack something

please so here's your demo

all right cool it's working right all right so here is going to be just our attackers machine so obviously in the lab I'm just using VMS the it's in theory could just be an attacker's virtual machine and the first thing we're going to do is join this machine to The Domain I mentioned by default we've already stolen credentials so we're going to join the Branded rocks domain hope you all agree with our domain join account this guy is just a domain user and we've now created an accountant directory for this computer and before we restart I'm going to open up a Powershell is the work so do you have to say shelter so Powershell shell is that how

you said opening a Powershell shell no no it's just Powershell okay so I'm opening a Powershell and I'm running it as the domain joint account and the reason I'm doing this is because that account was used to add the computer to The Domain it's the owner on that active directory object and if you own an object you can manipulate all of its properties and so here I'm running the set SPN with a delete and I'm going to delete these host spns and the reason this prevents Kerberos from authenticating is because it breaks that communication between the client and the server so when the server is attempting to reach out and find this computer to push the agents to it it's

not going to be able to authenticate with Kerberos any longer and now with a little bit of power of editing we don't have to watch my slow virtual machine reboot and this is why I didn't do it live also because it probably won't work when you do it live [Music] all right and now we're taking off the um we're disabling Windows Defender because we're about ready to use a hacking tool so we're using NBA to act as a man and middle attack or a machine in the mail which is kind of strange to say because you're actually on the same machine but what what this is going to do is it's going to capture the network traffic that's

coming to the machine and since we're attempting to capture the installation on domain join or run it through this fairly quickly ideally if you are in a real attacker and you aren't trying to demonstrate things you could just script all this stuff so I also turned off the firewall I guess I should mention too and that's just mostly for preventing the lab mishaps and they're every group domain administrators from the local administrators group and now we get to launch our power shell and then we're going to load up the individual after we stop the execution policy from

I'll talk a little bit more about info we're going to run that a couple more times and so I'll talk more about it later but right now what you're seeing is I'm just loading the Powershell script and then I'm running the invoking bay commandlet and I'm telling you that I want to see the console output on the screen and then I also want to capture machine account credentials and so here you can actually watch as the traffic's coming through and we and this isn't edited actually um this is just real time and then here's all of our hashes to fly through and so you saw all four separate hashes yeah we know Windows security we did

that on purpose and so we can stop it and then we can run the git in Bay and we can pull all of the ntl mb2 hashes that we were captured all the unique ones and here at the bottom you can see that we got the push account one two as well as that d a and then there at the bottom is the the win SECU computer account did you say that one of those was a ntlm hashberg did we have an account um yeah it was just in my lab the way that I configured it and if and if it was then why would you need to find foreign so five minutes so five minutes is all

it's going to take to pull all of the credentials for all of your configured hash account all right yeah all of the hashes for your configured push accounts sorry I messed that one up so what can you do with the hash right well you can crack it as most of us are aware so you take it offline if it's not a complex hash and if you've got a nice hacking rig it can be possibly cracked within seconds but what if you can't what if it's a much more highly complex password it's very long then you can pass that hash around in what's called an Intel and relay attack and that's what we're going to do next

so in picking on the definition of a strong password we're actually going to use the computer account for this next demonstration and I picked that for two reasons the first reason is that like I had said is essentially the definition of a complex password it's 120 character password for your computer account and it rolls I think by default every 30 days but it's not just a computer account it's also the secm server account and while you think that might not be cool or anything you need to examine some of your installation and also some of the best practices that are out here so if you're using a remote SQL server for the database for secm you've had to

grant that computer account access to your SQL Server database possibly the SQL Server itself if you're using a secondary site you've done the same thing you've added to your computer account as a local administrator on that secondary site server this one is potentially to be scary too and this is if you're using a systems management container in active directory you've delegated active directory rights to that computer account hopefully just on that OU but you never know if you get it out the route you just get full control right nobody does that and then this one I think is fun too um Craig wrote A Blog that argued that you could just use the computer account

as the push account and just add it to the local administrators group on all of your employees and um in in case you think that these are just old articles that I found on the web just by doing Google searches they're not old but I did just search on the web for a bunch of stuff they are those last three are released within the last year and if you're an associate administrator or you're around for any period of time those two in the middle are project blocks so projectwell is essentially the authority on secm so I trust in a few blogspot foreign

so you remember we dumped the hash earlier of the computer account as well as all of the configured accounts well if you actually follow Microsoft best practice and we do not allow until the fallback to occur it's going to do what we thought it was going to do it's going to prevent the Kerberos and the Intel limb authentication for all the configured push accounts so if we remove the SPN then we can't authenticate with Kerberos if we set this setting then we can't authenticate through mtlm and so none of the client mesh configured accounts are going to attempt to authenticate to that endpoint the computer account does so this is our first way that we can circumvent this

setting so this attack is a little more complicated than the first so I just wanted to briefly introduce what a man in the middle attack is and how a relay attack might work so first the victim computer which is essentially the computer from our first attack the victim computer in the secm server are communicating back and forth and this is just normal communication client server communication they determine that a client needs to be installed on that victim machine lucky for the hacker he happens or she happens to be in the middle there's your own button and they capture the hash during that communication this is essentially what we saw in that first attempt they then grab that hash and they relay

it to the Target machine and in this example the targeting machine is one of the machines that we have added the local administrator of the secm computer account into the local administrators group for the Target

and so for this attack we are taking ntl and fallback and we're disabling it for the best practice and we're going to see the same techniques as attack number one this second attack is broken down into two separate ones and this first one is just to essentially prove that what I say is true regarding the computer account still sending the ntlm hash and so we're just replaying the very first attack and I learned how to type really fast for this so this time we're adding the hacker 2 account we're taking the sbns off the only difference is in secm we've now changed that nuclear fallback setting and so what's going to happen is when we

launch in Bay we're going to listen to that conversation and then we're only going to see the Intel and hash Forge a computer account

foreign

I found I found this tool as part of this project and I think it's really cool so Kevin Robertson is the one that wrote this and if you just Google search invade GitHub you can find the tool if you're not familiar with it so it's more than a man in the middle tool it's also a spoofing tool uh you might have seen that at the very top of it it turns on the llmnr scooping and stuff and there's the only hash that is sent and that was the only authentication attempt that occurred during this setting and so here we can verify this by just looking at the security log and verify that the computer account did in

fact authenticate within tlm I don't know why I added this part to the presentation to be honest other than the fact that you don't necessarily have to run a hacking tool to test this in your environment you can go into the event log and you can visualize it I suppose you know that we've set the hash because you literally saw the hash come through yeah so was that the when you say computer account was that a computer account that you just joined of course that's a good question so the question was is that the computer account of the account that just joined the domain or is that the computer account of the secm server so that's the SECU server account

the secm server computer account always attempts to authenticate to the endpoint so that was for whatever reason a something that they decided to do as like a Fail-Safe I guess to where if you don't have any accounts configured you could potentially use that I don't I don't honestly know why it doesn't I just know that it does and then it's bad and so now that first piece of it is not only just showing how that communication works but it's also set up something that can be a repeatable process so as an attacker what you're going to want to do is you're going to set up your Cali or your tools here to listen and then once you're in in the

position to listen for those hashes you can then cause the target to perform the behavior and so the second half of this we're using man in the middle six and we're going to spoof IPv6 traffic and capture the credentials that way we're also going to use in tlm relay X to relay those credentials to our Target and then we're going to use proxy chains to connect remotely and by the end of this one we're going to get an SMB shell on our Target machine without knowing your credentials at all

so here we're just verifying that the settings are set the same that I said that they were with the allowing ntlm authentication being disabled here is IPv6 which by default is enabled so if you're not using ibv6 disable it if you are using it if it is don't disable it so this is our Target machine I should pause that on my bed here I'm going to try to go back I got a couple minutes

Maybe okay I'm not gonna be like but I am going to pause real quick so sorry about that the changing my mind

you too it's reboot reboot Burn It to the Ground okay sorry this is just a two minute video anyway so after this thing I'm going to show you the desktop of the target machine so that's going to be the machine that we're eventually trying to hack so here I showed at 56 and I got talking about IPv6 I bet the target machine is there that's the wi and secm account added to the local administrators group and then there is a text file that says not hacked and so we're going to hack it by changing the text file and so here we're booting up our main in the middle six and that's going to be our listener and

now we've set up ntl and relay with a target of the IP address for our current machine and now here we're going to simulate a patch cycle or just sitting and waiting with with this but this is going to be what forces the secm server to connect to our view of the middle six and when it does it's going to being given a IPv6 address and now it's going to think that my Cali machine is able to communicate via IPv6 and so here as soon as the computer comes back up it's going to send that hash [Music] now so there's the hashes send here's our nglm relay and they are about four lines from the bottom is where it

attempted to connect to our Target machine and then there you can see that we do have an admin status of true on our Target and so we have the ability of availability to connect with proxy chains and here we're running SMB client to connect to the C share on that account with the Win secm computer account it asks for the password here but you don't need an password and you just hit enter so here I can now Traverse the operating system I can put malware so I created this text malware so first of its kind I think and then I'm going to just infiltrate and remove data from the client so this just proves a couple of the things that

an attacker might be able to do and here on the target machine it shows that we have changed the text file to packed foreign

okay so that was just a really quick uh Intel and relay example and the thing that I think is kind of cool is if if we did this and we captured all of the hashes kind of like we did with the first attack and we got all the hashes for all the configured accounts we could set up a Target we could Target everything in that subnet or everything in that environment and so we could essentially spread all of our ntlm hashes across and determine where it's an administrator and where it's not and then we can Target machines based on the information that we have there so we could start popping shells off all of these machines

and so with that said I'd assume that maybe the Intel and fallback wall you could use it to to protect the computer not the computer account but you could at least protect all of the service accounts that you have configured to prevent something like this what now Steve what's that oh we can force the hashes so we can force the hashes for all client push accounts not just the computer account and so like I had said earlier earlier this week Microsoft released the information on this KB article and the related CBE that proved that there is a Antelope fallback is not honored and I'm going to show you what I mean by that

and so as an secm administrator or on the secm server itself you can run this command or you can essentially just right click and add device and when you add device you can set up an IP address as the computer name the MAC address doesn't matter it doesn't care about the MAC address and so when it adds a device into secm it adds it just as that 192. I don't know why it does that but that's just where it shows and then when the client attempts to push because because there's no associated active directory object it can't use corporate to authenticate so it's going to attempt to fall back to tlm but it shouldn't be able to fall back to ntln

because we set it to not do it and for whatever reason and I don't know how they patch this honestly but I do know that direct ipe communication is always going to use in tlm so it must just be a bug that they did not account for and so while this is cool and it earned me a CDE it's not a weapon because you have to be on the sdcm server to add the computer to it or at least it wasn't a weapon so earlier this year there's a tool called Sharp secm Mayhem AKA Chris Thompson from Specter Ops is the author of this tool and he and I have gone back and forth a

couple times on on this and worked together and the tool does a lot of cool things it's I think in his third iteration now and he keeps adding different uh vulnerable sort of things to it but when it was first released what it did is it allowed us to register a new device in SCCM and then trigger the client installation and the reason this is cool and the reason it's a weapon is you can do this as an unprivileged user from any domain joint computer so you don't have to have access to the SEC server to do this and so instead of talking more about it let's watch it and so for our last attack here we're

disabling the nt11 fallback for best practice because that's essentially what we're attacking and proving that we can and then I think the best way to do this is to just show a comparison of what standard install Behavior looks like versus Behavior using Sharp secm and so what I'm going to show you on the first half of this demo is just what a normal client installation looks like and so here we verified again that allowed connection fallback is unchecked

this Hackney machine is already joined to The Domain and in secm it just doesn't have the client push to it and so this is that machine so here I have my shell with domain administrator and here I'm just going to show you and confirm that I haven't messed with ESPN's on it at all just to confirm that it's just a normal classic installation

we've disabled the firewall and defender on this as well just because I like watching inve and I like watching hashes like just appear on your screen it's just not as cool if you can't just watch it happen so and then here I'm just trying to get all the credentials again so I've removed the local domain administrators and so we're going to set up our inbade listener

and once the listener is set up I'm just gonna instead of waiting for domain join or whatever we're just going to manually push the client and again what you're going to see here is me I'm going to go to the secm server I'm just going to right click and install client and we could we could do this a number of different ways but for demo purposes this is just what a normal installation might look like and so here on NBA we're going to see something that we haven't seen before and that's Kerberos authentication so that's all the Kerberos looks like and all it says is authentication method is Kerberos and the IP address and we can prove that through the

security log again so here we'll find the login event all of the configured accounts did this I just highlighted just that last one which was the secm computer account and then there you see the Kerberos authentication was used

all right and now we're going to go over to the Shell that's running as our domain join account and the reason I run it with Michelle is because the tool does require just a domain user account to run you can't run it as just a local account which is what I've booted to the operating system into just a normal local administrator account and so here in Brian short secm I'm using the fqdn of the secm server Tri is the site code and then I'm telling it to invoke client push and I'm giving it the target IP of the IP address of this machine and so it's generating a self-signed certificate here and then it's connecting to SCCM it's adding itself as

a device in SCCM and then it's setting itself up to retrieve the client push and so here without changing anything else on the system you'll see the hashes come through in tlm

and so that's that is the vulnerability and that's how we can generate and use SEC sharp secm to send us all the hashes regardless of the ntl and fallback setting and here one more time we can just prove uh in deal and hash ers

quick question for you yeah [Applause] thank you yeah go ahead so the the main thing that the sharp smcm tool is doing at the end there was forcing the client push rather than having it wait for the normal cycle is that correct um so yes it was it was it was originally set up and when Chris built it and he didn't know it did this uh when you said as the IP address because instead of using the IP as a Target you could just create like a fake computer or whatever and then it would attempt to connect there and he just did that in response to Matt's tweet and saying that you know you can uninstall the client or whatever

so by doing this his original intention was to just be able to trigger that authentication to occur found the additional detail and then I found the detail and that if you use the IP that it didn't seem to allow it shouldn't have allowed in dlm to occur and actually in one of his earlier blog posts he points out that a fix or his tool and what he had shown using it was to to set that and I don't know what made me do it but maybe I just don't trust them thank you okay so let's protect it right so now that we broke it how do we protect it like Vincent said we just Burn It to the

Ground so this is the KB uh that just came out that patches the vulnerability but in addition to that you still do have to disable and deal on fallback is that patch applied to the secm server it is it's uh it's not an OS patch it's an application patch inside SCCM so you would get it as the same way that you would upgrade the application I can't remember what the setting is called in secm to install the hotfixes all right like I had alluded to earlier the domain join misconfiguration so this is a big one and it's actually been in the news fairly recently with curb rate layout so curly relayup used this as a vector it's not the only Vector it

uses but um like I had said earlier by default the add workstation to to domain GPO this is a user rights assignment and by default you have authenticated users in there so remove that and add whatever group you may require would be a good recommendation in addition to that a lot of times you'll see recommendations to set the MSDS machine account quoted to zero and that's also going to prevent the issue and then you can use explicit permission on OU so if you need like a help desk employee or something to add got it um oh okay yeah you're right sorry explicit permissions also if you don't have access to do the gpos or you're only a secm administrator you can

also just configure exceptions so in the system Discovery settings you can set up a excluded computer OU

some other good mitigations are to harden your credentials so all service accounts not just client question accounts but service accounts we recommend Trimark likes to recommend that we have 25 character passwords potentially 30 characters I think is going to be our new recommendation and that they're highly complex and they're also changed on a yearly or by yearly basis and that obviously is going to protect you against offline cracks also limit the access so for Microsoft recommendation and I keep saying it so don't make it a domain admin so that's a big deal so continue to limit the attack surface and in doing that never use a client push account on a tier zero asset can you say that again

never use a client push account on a tier zero asset so instead I would recommend as you're texting your buddies right now I would recommend that you do a manual install so whatever so even if it's not a domain admin account and it's a server admin account remove it from the local admins of the tier zero asset and then if those permissions for the computer account are not necessary then I would recommend removing the permissions on the secm computer account also I mentioned earlier disabling IPv6 if you're not using it that's going to prevent the man in the middle six spoofing it's a big guy isn't it also in tlm Relay can be prevented by using SMB

signing so enable that in your GPO that is a little bit harder to do I will admit this is also a little bit harder to do if your secm is not set up to use https it should be modified to do that so using pki is going to enforce encryption and signing and that's going to help the sharp sec I'm going to use the self-signed cert it would still obviously encrypt it's not from a valid source so doing the https would help that also disabling lmnr net bios and ntlm yes try to disable ntlm I know that one is terrible and it's very hard to do but at least using tlmp2 if you can most importantly just don't use client

push good policy install and software-based install are much easier also and I can say this again for tier zero if you were using SECU to manage two zero assets SCCM is now a tier zero asset so I would recommend either not using secm at all on them or standing up a new instance of secm that can be tier zero that can be image only your zero assets so you're talking about setting up a separate.ccm within the tier zero environment yes yeah so if you've got like a red forest or something yeah do a secm just for that Forest all right real quick I've got like two minutes um thanking all these people so Trimark peers are awesome because they've

listened to me and they encouraged me and they let me listen uh they listen to me talk about SCCM endlessly for like six months um my wiu peer so that's where my old employee went they let me come in as a proof of concept and do this to them and uh so I thanked them on that because it's not just a lab environment I actually was able to prove it in a real environment here's some resources it'll be available later and questions I have like 30 seconds um okay all right go ahead uh who had a question sorry and I'll be so I'll chill out here later too so if you have a question I don't get to you

so much similar later we could get some of those questions awesome you're giving the talk in like an hour three okay yep won't be as good but I bet it will I'm excited I was looking forward to watching yours yes sir so for uh [Music] uh so we're still using those accounts would you recommend using uh managed service accounts typically yes uh secm I do not believe who will let you use a managed service account when you configure the client push accounts it prompts you for a password so I think you have to set the yeah so they do it in a stupid way like he's like of course you can't managed service accounts are good for

nothing I mean they're good for a lot of things but you can't use them on a lot of things all right anything else yes sir education uh the question was would another mitigation be disabling automatic client approval and by that do you mean like nscc and so I'm coming off the streets yeah yep so you could do that I think https helps with that too so you have to have like a push to serve through GPO or something to be able to even join the other thing you can do is just not use the automatic push so you could just set up a routine to push on only like known assets or something foreign yes

uh CV you mentioned in the beginning is that your CV yes that is my CBD you just entered security last year you said yeah it already has a CV um so my boss um so founder of Trimark security Sean Metcalf a i he found out that I had the CDE and he yelled at me and said that he doesn't even have a Microsoft CD so let's cut that from the record again please but yeah that so I was super psyched that they came out with the they released the CBE on Tuesday and uh they haven't they I actually found out about from a reporter that attempted to contact me the next day and they said hey we saw you were credited

with the CV and I was like Microsoft didn't tell me anything that they were going to release it or what and they still to this day haven't talked to me so I was planning on giving the presentation regardless but I think it's awesome that they didn't release it

thank you