New knowledge base compiles Microsoft Configuration Manager attack techniques

This means that should an attacker gain access to this account, they now have local admin on all computers managed via SCCM and can then use that access to dump credentials and find other accounts.

In one instance, penetration testers gained access to a regular user’s SharePoint, who in turn had read access to the PXE boot media used by Configuration Manager. This is used for booting a computer from a location over the network in order to remotely deploy an operating system.

The PXE boot media was not password protected and included a certificate that could be used to request the network access account. That in turn account allowed the testers to extract domain administrator accounts for two separate domains.

Moreover, when operating systems are deployed via PXE by Configuration Manager, a task executes that automatically joins that computer to a domain. This is done by a so-called “task sequence domain join account” which creates the corresponding computer object in Active Directory and automatically becomes its owner. The issue is that the credentials for this account are accessible by any PXE client.

“Therefore, if OSD [operating system deployment] is used to join many computers (workstations or servers) to the domain, the domain join account will have ownership over all of them,” the researchers said. “If a server is promoted to domain controller, or granted other Tier Zero roles, the domain join account serves as a direct path to those assets.”

Another common misuse is enrolling domain controllers as clients in Configuration Manager so they can be remotely managed. This might sound intuitive, but it’s a big security risk because if the Configuration Manager site (central server) is compromised, attackers gain remote code execution on the domain controllers via applications, scripts and package deployments.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button