Post

SCCM lab tests

Posted
By enonethreezed
7 min read
SCCM lab tests

Summary of SCCM-Specific Tactics and Techniques

Scope

This document summarizes tactics and techniques associated with Microsoft Configuration Manager (SCCM / MECM / ConfigMgr), using the Synzack/ludus_sccm lab as the primary reference and Misconfiguration-Manager as the main source for taxonomy and tradecraft.

Its purpose is to support analysis in lab environments and authorized validation work, not to provide intrusion procedures for unauthorized systems.

Why ludus_sccm Is a Strong Reference

The ludus_sccm lab deploys a realistic SCCM architecture that is well suited for testing:

  • DC01 with AD CS.
  • sccm-sitesrv as the site server.
  • sccm-mgmt as the management point.
  • sccm-distro as the distribution point.
  • sccm-sql as a remote site database.
  • Workstation as a managed client.
  • WebDAV enabled on the site server.
  • PXE enabled.
  • Network Access Account (NAA) configured.
  • Client Push enabled with NTLM fallback.
  • AD forest, system, user, and group discovery enabled.

That combination exposes multiple SCCM-specific attack surfaces and makes it possible to reproduce discovery, credential access, remote execution, NTLM relay, and hierarchy takeover scenarios.

Most Relevant SCCM Tactics

According to Misconfiguration-Manager, SCCM techniques cluster around these areas:

  • Initial Access: abuse of PXE and client-accessible policies.
  • Credential Access: NAA, task sequence secrets, DPAPI-protected material, client push accounts, and AdminService credentials.
  • Discovery: enumeration through LDAP, SMB, HTTP, SMS Provider, site systems, and client inventory.
  • Execution: application deployment and script execution through SCCM.
  • Lateral Movement: deployments, CMPivot, and NTLM relay through SCCM components.
  • Privilege Escalation: relays to MSSQL, LDAP, AD CS, SMS Provider, or AdminService.
  • Persistence: abuse of deployments and administrative rights in the hierarchy.

Technique Matrix

TacticTechniquePrimary PrerequisitesLikely Impact
Initial Access, Credential AccessCRED-1 - PXE CredentialsNetwork access to a PXE-enabled distribution point; PXE configuredRecovery of NAA or task sequence secrets; unauthenticated-to-domain foothold
Credential AccessCRED-2 - Policy Request CredentialsComputer account context or ability to add a machine to the domain; automatic approval behavior; accessible management pointRecovery of NAA, collection variable secrets, or task sequence credentials
Execution, Lateral MovementEXEC-1 - Application DeploymentSCCM administrative role with application deployment capabilityRemote command or binary execution as user or SYSTEM on managed clients
Execution, Lateral MovementEXEC-2 - PowerShell Script ExecutionSCCM role with script creation, approval, and execution rightsRemote PowerShell execution as SYSTEM on one or more clients
DiscoveryRECON-5 - Locate Users via SMS ProviderRead access through SMS Provider or AdminServiceIdentification of admin workstations, primary devices, and recent user activity
Privilege Escalation, Lateral MovementELEVATE-2 - NTLM Relay via Automatic Client Push InstallationAutomatic client push enabled; NTLM fallback enabled; reachable management point; relay path availableCompromise of client push credentials or site server identity
Privilege Escalation, Lateral MovementTAKEOVER-1 - Relay to Site DB (MSSQL)Remote site database; coercible SCCM system; relay path to MSSQLSCCM Full Administrator assignment and hierarchy control
Privilege Escalation, Lateral MovementTAKEOVER-3 - Relay to AD CSAD CS web enrollment or related service reachable; coercible SCCM system; vulnerable enrollment flowCertificate-based impersonation of SCCM systems and follow-on hierarchy abuse

Key Techniques Observable in the Lab

1. CRED-1 - PXE Credentials

  • Surface: distribution point with PXE enabled.
  • Relevance in ludus_sccm: ludus_sccm_enable_pxe: true.
  • Risk: an actor with network access may retrieve PXE boot material and extract secrets, including credentials embedded in policies or task sequences.
  • Typical impact: transition from unauthenticated network access to reusable domain credentials.

2. CRED-2 - Policy Request Credentials

  • Surface: management point and automatic client approval flow.
  • Relevance in ludus_sccm: NAA is configured and the lab models a complete SCCM client environment.
  • Risk: an authenticated SCCM client may request machine policy and recover obfuscated secrets, especially NAA credentials and credentials stored in task sequences or collection variables.
  • Typical impact: escalation from a domain user or computer context into accounts with content access or higher privilege due to poor account scoping.

3. EXEC-1 - Application Deployment

  • Surface: SCCM console, SMS Provider, or AdminService with deployment permissions.
  • Relevance in the lab: the client workstation and hierarchy allow realistic validation of collection-based deployments.
  • Risk: an operator with suitable SCCM rights may deploy binaries or commands to clients as the user context or SYSTEM.
  • Typical impact: remote execution, lateral movement, and possible NTLM coercion through attacker-controlled UNC paths.

4. EXEC-2 - PowerShell Script Execution

  • Surface: SCCM Run Script capability.
  • Relevance in the lab: the environment is suitable for testing administrative remote execution against managed clients.
  • Risk: any principal with sufficient SCCM permissions may run remote PowerShell as SYSTEM.
  • Typical impact: post-exploitation actions, persistence, collection, or tooling deployment.

5. RECON-5 - Locate Users via SMS Provider

  • Surface: SMS Provider and inventory or user-device affinity data.
  • Relevance in the lab: user, system, and affinity discovery are enabled in the base deployment.
  • Risk: actors with read access can identify administrator workstations, recently logged-in users, and primary-device relationships.
  • Typical impact: precise target selection for deployments, relay attempts, or lateral movement.

6. ELEVATE-2 - NTLM Relay via Automatic Client Push Installation

  • Surface: automatic client push, NTLM fallback, and SMB or HTTP connectivity.
  • Relevance in ludus_sccm:
    • ludus_sccm_configure_client_push: true
    • ludus_sccm_enable_automatic_client_push_installation: true
    • ludus_sccm_allow_NTLM_fallback: true
    • enable_webdav on the site server
  • Risk: SCCM may authenticate automatically to attacker-controlled destinations during client push, enabling NTLM coercion and relay.
  • Typical impact: compromise of client push accounts or the site server identity, with local or domain escalation depending on effective privileges.

7. TAKEOVER-1 - Relay to Site DB (MSSQL)

  • Surface: remote SCCM site database on sccm-sql.
  • Relevance in ludus_sccm: SQL is separated from the site server, which is exactly the pattern that makes relay to MSSQL especially valuable.
  • Risk: if NTLM authentication is coerced from the site server or SMS Provider toward a relay server, that identity may be reused against the SCCM database where those systems often hold high privileges.
  • Typical impact: assignment of the Full Administrator role in SCCM and control of the hierarchy.

8. TAKEOVER-3 - Relay to AD CS

  • Surface: AD CS and certificate enrollment web services.
  • Relevance in ludus_sccm: the domain controller installs AD CS and the lab is designed for SCCM scenarios that may use PKI.
  • Risk: a coerced site-system identity may be relayed to AD CS to obtain a certificate usable for authentication as that system.
  • Typical impact: takeover of SCCM components and follow-on escalation to Full Administrator.

Especially Realistic Attack Chains in This Lab

Chain A - PXE to Reusable Secrets

  • PXE exposed on the distribution point.
  • Recovery of boot media or variable files.
  • Extraction of NAA or task sequence credentials.
  • Access to content, shares, or additional systems.

Chain B - Domain Client to SCCM Secrets

  • Creation or control of a domain computer account.
  • Registration or approval as an SCCM client.
  • Request for machine policy.
  • Recovery of NAA, collection variables, or deployment secrets.

Chain C - Client Push to NTLM Relay

  • Registration of a target host to trigger client push.
  • Authentication from the site server or client push account to an attacker-controlled server.
  • SMB or HTTP relay to an internal target.
  • Local or domain escalation depending on the relay target configuration.

Chain D - Relay to MSSQL and Hierarchy Takeover

  • NTLM coercion from the site server or SMS Provider.
  • Relay to sccm-sql.
  • RBAC modification in the CM_<SiteCode> database.
  • Addition of an attacker-controlled principal as Full Administrator.
  • Follow-on use of Application Deployment, Run Script, or CMPivot for full operational control.

Chain E - Relay to AD CS

  • Coercion from a site system.
  • Relay to an AD CS enrollment web endpoint.
  • Certificate issuance in the name of the coerced system.
  • Authentication as that system and administrative abuse of SCCM.

Concrete Risk Indicators Present in ludus_sccm

  • Configured NAA: increases the value of policies, PXE material, and task sequences.
  • Automatic client push: expands coercion opportunities.
  • NTLM fallback: makes relay more practical than in PKI- or Kerberos-only configurations.
  • WebDAV or WebClient exposure: can enable more interesting HTTP-based coercion chains.
  • AD CS in the domain: enables certificate abuse and ESC8-style scenarios if web enrollment is available and weakly protected.
  • Remote SQL: favors relay-to-MSSQL takeover paths.
  • Broad discovery: improves the quality of inventory available to operators with SCCM access.

Practical Prioritization for Testing

If the goal is to quickly assess exposure in this lab, the most useful order is usually:

  1. Validate CRED-1 and CRED-2 to determine secret exposure.
  2. Review ELEVATE-2 because of the client push + NTLM fallback + WebDAV combination.
  3. Check whether TAKEOVER-1 is feasible when the SCCM database is remote.
  4. Check whether TAKEOVER-3 is feasible if AD CS web enrollment is available.
  5. With SCCM privileges, measure operational impact through EXEC-1, EXEC-2, and RECON-5.

References

  • https://github.com/Synzack/ludus_sccm
  • https://github.com/subat0mik/Misconfiguration-Manager
  • https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-1/cred-1_description.md
  • https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md
  • https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/EXEC/EXEC-1/exec-1_description.md
  • https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/EXEC/EXEC-2/exec-2_description.md
  • https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/RECON/RECON-5/recon-5_description.md
  • https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/ELEVATE/ELEVATE-2/ELEVATE-2_description.md
  • https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/TAKEOVER/TAKEOVER-1/takeover-1_description.md
  • https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/TAKEOVER/TAKEOVER-3/takeover-3_description.md
sccm
tests
This post is licensed under CC BY 4.0 by the author.