Teacher
Professional
- Messages
- 2,670
- Reaction score
- 814
- Points
- 113
SpecterOps will teach you a lesson: how do I manage Microsoft servers securely?
A group of researchers from SpecterOps has announced the release of Misconfiguration Manager — an extensive repository of attack and protection methods for the Microsoft Configuration Manager (MCM) environment. This product, formerly known as System Center Configuration Manager (SCCM), has been helping administrators manage servers and workstations in Windows domains since 1994, but it is often misconfigured, creating security risks.
Misconfiguration Manager was presented at the SO-CON conference. The authors of the repository are SpecterOps researchers: Chris Thompson, Garrett Foster, and Dwan Michael. As experts explain, their approach goes beyond a simple description of the tactics used by known attackers. The repository also includes methods developed during pentests, red team operations, and independent security research.
Duan Michael's blog provides examples of the most common and dangerous MCM configuration errors encountered by experts. These include giving Network Access Accounts (NAAS) excessive privileges. Novice or inexperienced administrators often use a single privileged account for all MCM services.
In one case, researchers were able to trace the chain from the compromise of a standard SharePoint user's account to the capture of a domain controller-solely due to errors when deploying MCM with privileged NAAS.
Another common problem is when domain controllers register as client devices in the MCM infrastructure. If the hierarchy is configured incorrectly, this opens up the possibility for remote code execution.
In another test, the SpecterOps team managed to break into the central database of the MCM administrative site and assign itself the role of an administrator with full rights. After that, using the functionality of MCM itself, they were able to run malicious code that was previously placed in a network folder on one of the computers in the domain.
The Misconfiguration Manager repository describes 22 attack methods that can be used for direct MCM hacking or secondary exploitation of the environment. Techniques are divided into types: access to credentials, privilege escalation, intelligence gathering, and infrastructure capture.
For each threat vector, the authors propose protection methods divided into three categories:
The authors of Misconfiguration Manager urge you to thoroughly test the described security methods before putting them into commercial operation.
A group of researchers from SpecterOps has announced the release of Misconfiguration Manager — an extensive repository of attack and protection methods for the Microsoft Configuration Manager (MCM) environment. This product, formerly known as System Center Configuration Manager (SCCM), has been helping administrators manage servers and workstations in Windows domains since 1994, but it is often misconfigured, creating security risks.
Misconfiguration Manager was presented at the SO-CON conference. The authors of the repository are SpecterOps researchers: Chris Thompson, Garrett Foster, and Dwan Michael. As experts explain, their approach goes beyond a simple description of the tactics used by known attackers. The repository also includes methods developed during pentests, red team operations, and independent security research.
Duan Michael's blog provides examples of the most common and dangerous MCM configuration errors encountered by experts. These include giving Network Access Accounts (NAAS) excessive privileges. Novice or inexperienced administrators often use a single privileged account for all MCM services.
In one case, researchers were able to trace the chain from the compromise of a standard SharePoint user's account to the capture of a domain controller-solely due to errors when deploying MCM with privileged NAAS.
Another common problem is when domain controllers register as client devices in the MCM infrastructure. If the hierarchy is configured incorrectly, this opens up the possibility for remote code execution.
In another test, the SpecterOps team managed to break into the central database of the MCM administrative site and assign itself the role of an administrator with full rights. After that, using the functionality of MCM itself, they were able to run malicious code that was previously placed in a network folder on one of the computers in the domain.
The Misconfiguration Manager repository describes 22 attack methods that can be used for direct MCM hacking or secondary exploitation of the environment. Techniques are divided into types: access to credentials, privilege escalation, intelligence gathering, and infrastructure capture.
For each threat vector, the authors propose protection methods divided into three categories:
- PREVENT — configuration changes to neutralize a particular method.
- DETECT — recommendations for detecting traces of an attack.
- CANARY-detection strategies using a kind of "bait" for intruders.
The authors of Misconfiguration Manager urge you to thoroughly test the described security methods before putting them into commercial operation.
