Misconfiguration Manager

Misconfiguration Manager

This repository serves as a central knowledge base for all known Microsoft Configuration Manager (a.k.a. MCM, ConfigMgr, System Center Configuration Manager, or SCCM) tradecraft and associated defensive and hardening guidance. Our goal is to help demystify SCCM tradecraft and simplify SCCM attack path management for defenders while also educating offensive security professionals on this nebulous attack surface. Designed to go beyond the static nature of whitepapers, this living repository documents known SCCM misconfigurations and their abuses and encourages ongoing contributions from the community to enhance its relevance and utility.
此存储库充当所有已知 Microsoft 配置管理器(也称为 MCM、ConfigMgr、System Center Configuration Manager 或 SCCM)交易技巧以及相关防御和强化指南的中心知识库。我们的目标是帮助揭开 SCCM 贸易的神秘面纱,简化防御者的 SCCM 攻击路径管理,同时对进攻性安全专业人员进行这种模糊的攻击面的教育。这个动态存储库旨在超越白皮书的静态性质,记录已知的 SCCM 错误配置及其滥用,并鼓励社区持续做出贡献,以提高其相关性和实用性。

We’ve curated this repository to raise awareness of the rapidly evolving SCCM threat landscape, drawing inspiration from the MITRE ATT&CK framework, with a few deviations. We were also strongly influenced by Push Security’s SaaS attack techniques matrix as well as Will Schroeder and Lee Chagolla-Christensen’s Certified Pre-Owned whitepaper.
我们策划了这个存储库,以提高人们对快速发展的 SCCM 威胁形势的认识,从 MITRE ATT&CK 框架中汲取灵感,但有一些偏差。Push Security 的 SaaS 攻击技术矩阵以及 Will Schroeder 和 Lee Chagolla-Christensen 的认证二手白皮书也对我们产生了强烈影响。

Our approach extends beyond cataloging the tactics of known adversaries to include contributions from the realm of penetration testing, red team operations, and security research. At SpecterOps, we’ve leveraged many misconfigurations highlighted in this repository in real-world environments, while others represent experimental and exploratory research projects proved out in a lab environment.
我们的方法不仅限于对已知对手的策略进行分类,还包括渗透测试、红队运营和安全研究领域的贡献。在 SpecterOps,我们在真实环境中利用了此存储库中突出显示的许多错误配置,而其他错误则代表了在实验室环境中证明的实验性和探索性研究项目。

This project also serves as a central point of reference for all of the SCCM attack and defense resources that we’re aware of.
此项目还可以作为我们所知道的所有 SCCM 攻击和防御资源的中心参考点。

We openly invite you to submit both proven and exploratory SCCM-focused attack techniques and defensive strategies and resources to this project and to provide any feedback and recommendations about the content in this repository.
我们公开邀请您向此项目提交经过验证和探索性的以 SCCM 为重点的攻击技术以及防御策略和资源,并提供有关此存储库中内容的任何反馈和建议。

How to use this project

Start with the SCCM Attack Matrix and SCCM Attack and Defense Matrix below, which map attack techniques to their MITRE ATT&CK framework tactics, as well as to their detection and prevention strategies.
从下面的 SCCM 攻击矩阵和 SCCM 攻击和防御矩阵开始,它们将攻击技术映射到其 MITRE ATT&CK 框架策略,以及它们的检测和预防策略。

Offensive security practitioners may also benefit from reviewing the list of known and documented Attack Techniques, which identifies the security context and network access that are required for each technique.

Defenders and IT administrators may benefit from reviewing the list of known and documented Defense Techniques, which identifies the administrator roles we think are most likely to be involved in the implementation of each item.
防御者和 IT 管理员可能会从查看已知和记录在案的防御技术列表中受益,该列表确定了我们认为最有可能参与每个项目的实施的管理员角色。

If you aren’t familiar with a term used in a technique’s description, refer to the glossary page, which contains definitions for terms commonly used in SCCM.
如果您不熟悉技术描述中使用的术语,请参阅术语表页面,其中包含 SCCM 中常用术语的定义。

If you’d like to test these techniques in a lab environment or learn more about SCCM attack and defense, please refer to the resources page, which contains links to all the SCCM lab and attack/defense resources that we are aware of, many of which inspired and informed the information in this repository.
如果您想在实验室环境中测试这些技术或了解有关 SCCM 攻击和防御的更多信息,请参阅资源页面,其中包含我们所知道的所有 SCCM 实验室和攻击/防御资源的链接,其中许多资源启发并告知了此存储库中的信息。

If we’ve overlooked anything or are missing credits for prior work, please reach out to us or submit a pull request and we’d be happy to make updates.

SCCM Attack Matrix SCCM 攻击矩阵

Initial Access 初始访问 Execution 执行 Persistence 坚持 Privilege Escalation 权限提升 Defense Evasion 防御规避 Credential Access 凭据访问 Discovery 发现 Lateral Movement 横向移动 Collection 收集 Command and Control 指挥与控制 Exfiltration 渗出
PXE Creds PXE 信条 App Deployment 应用部署 App Deployment 应用部署 Relay to Site Server SMB
中继到站点服务器 SMB
App Deployment 应用部署 PXE Credentials PXE 凭据 LDAP Enumeration 最高知名度 Relay to Site DB (MSSQL)
中继到站点数据库 (MSSQL)
CMPivot 招商局电信 CMPivot 招商局电信
Script Deployment 脚本部署 Script Deployment 脚本部署 Relay Client Push Installation
Script Deployment 脚本部署 Policy Request Credentials
SMB Enumeration 油底壳意识 Relay to AdminService 中继到 AdminService
Relay to ADCS ADCS继电器 Relay to Site DB (MSSQL)
中继到站点数据库 (MSSQL)
DPAPI Credentials DPAPI 凭据 HTTP Enumeration HTTP 感知 Relay Between HA HA 之间的继电器
Relay to LDAP 中继到 LDAP Relay to LDAP 中继到 LDAP Legacy Credentials 旧凭据 CMPivot 招商局电信 App Deployment 应用部署
Relay to Site DB (SMB)
中继到站点数据库 (SMB)
Site Database Credentials
Script Deployment 脚本部署
Relay to ADCS ADCS继电器 Relay to Site Server (SMB)
中继到站点服务器 (SMB)
Relay CAS to Child
将 CAS 中继到子项
Relay Client Push Installation
Relay to AdminService 中继到 AdminService Relay CAS to Child
将 CAS 中继到子项
Relay to SMS Provider (SMB)
中继到短信提供商 (SMB)
Relay to SMS Provider (SMB)
中继到短信提供商 (SMB)
Relay Between HA HA 之间的继电器 SQL Linked as DBA
作为 DBA 链接的 SQL
SQL Linked as DBA
作为 DBA 链接的 SQL

SCCM Attack and Defense Matrix
SCCM 攻击和防御矩阵

CRED‑1 CRED-1型 CRED‑2 CRED-2型 CRED‑3 CRED-3型 CRED‑4 CRED-4型 CRED‑5 CRED-5型 ELEVATE‑1 提升-1 ELEVATE‑2 提升-2 EXEC‑1 执行-1 EXEC‑2 执行-2 RECON‑1 侦察-1 RECON‑2 侦察-2 RECON‑3 侦察-3 RECON‑4 侦察-4 RECON‑5 侦察-5 TAKEOVER‑1 收购-1 TAKEOVER‑2 接管-2 TAKEOVER‑3 收购-3 TAKEOVER‑4 收购-4 TAKEOVER‑5 收购-5 TAKEOVER‑6 收购-6 TAKEOVER‑7 接管-7 TAKEOVER‑8 收购-8 TAKEOVER‑9 收购-9
CANARY‑1 金丝雀-1 X X X X X
DETECT‑1 检测-1 X X X X X X X X X X
DETECT‑2 检测-2 X
DETECT‑3 检测-3 X
DETECT‑4 检测-4 X
DETECT‑5 检测-5 X X X X
PREVENT‑1 预防-1 X
PREVENT‑2 预防-2 X
PREVENT‑3 预防-3 X X X X
PREVENT‑4 预防-4 X X X
PREVENT‑5 预防-5 X
PREVENT‑6 预防-6 X
PREVENT‑7 预防-7 X
PREVENT‑8 预防-8 X X X
PREVENT‑9 预防-9 X X X X X
PREVENT‑10 预防-10 X X X X
PREVENT‑11 预防-11 X X X
PREVENT‑12 预防-12 X X X X X X
PREVENT‑13 预防-13 X
PREVENT‑14 预防-14 X X X
PREVENT‑15 预防-15 X
PREVENT‑16 预防-16 X
PREVENT‑17 预防-17 X X X X X
PREVENT‑18 预防-18 X
PREVENT‑19 预防-19 X X
PREVENT‑20 预防-20 X X X X X X X X X X X X X X X X
PREVENT‑21 预防-21 X
PREVENT‑22 预防-22

Taxonomy Overview 分类概述

At the time of release, TAKEOVER-1 through TAKEOVER-9, in our opinion, are ordered in descending order of likelihood based on system defaults and our experiences testing SCCM hierarchies. Further additions will follow sequential order by release date.
在我们看来,在发布时,TAKEOVER-1 到 TAKEOVER-9 是根据系统默认值和我们测试 SCCM 层次结构的经验按可能性降序排序的。进一步添加的内容将按发布日期的顺序排列。

With the exception of TAKEOVER, these techniques are numbered in no particular order. A higher or lower number does not represent our opinion of the item’s importance, likelihood, or how it should be prioritized.
除 TAKEOVER 外,这些技术没有特定的顺序。较高或较低的数字并不代表我们对项目的重要性、可能性或应如何确定优先级的看法。

Attack Techniques 攻击技巧


Techniques coded with a CRED moniker primarily abuse credential access. CRED techniques are the most common we’ve seen and often lead to direct hierarchy takeover or domain compromise.
使用 CRED 名字对象编码的技术主要滥用凭据访问。CRED技术是我们见过的最常见的技术,通常会导致直接的层次结构接管或域破坏。


Techniques coded with an ELEVATE moniker can be used for either local or domain privilege escalation. In some cases, these can be chained with other techniques for a hierarchy takeover primitive.
使用 ELEVATE 名字对象编码的技术可用于本地或域权限提升。在某些情况下,这些可以与其他技术链接,以实现层次结构接管原语。


Techniques coded with an EXEC moniker can be used to execute commands, scripts, code, etc. on a remote target through SCCM’s builtin functionality.
使用 EXEC 名字对象编码的技术可用于通过 SCCM 的内置功能在远程目标上执行命令、脚本、代码等。


Techniques coded with a RECON moniker relate to either performing reconnaissance against SCCM infrastructure or using SCCM to conduct further reconnaissance.
使用 RECON 名称编码的技术涉及对 SCCM 基础设施执行侦察或使用 SCCM 进行进一步侦察。


Techniques coded with a TAKEOVER moniker describe the various steps necessary to compromise an SCCM hierarchy.
使用 TAKEOVER 名字对象编码的技术描述了破坏 SCCM 层次结构所需的各种步骤。

Defense Techniques 防御技术


Defensive strategies coded with a CANARY moniker describe deception strategies that could be used to deceive adversaries in tripping a high-fidelity detection.
使用 CANARY 绰号编码的防御策略描述了可用于欺骗对手以触发高保真检测的欺骗策略。


Defensive strategies coded with a DETECT moniker describe strategies for detecting offensive techniques. In some cases, multiple DETECT strategies may be required for a stronger detection.
使用 DETECT 名字对象编码的防御策略描述了用于检测攻击性技术的策略。在某些情况下,可能需要多种 DETECT 策略才能实现更强的检测。


Defensive strategies coded with a PREVENT moniker describe configuration changes to mitigate one or more aspects of an offensive technique. In some cases, multiple PREVENT strategies may be needed to fully mitigate an offensive technique.
使用 PREVENT 名字对象编码的防御策略描述配置更改,以缓解攻击技术的一个或多个方面。在某些情况下,可能需要多种 PREVENT 策略来完全缓解攻击性技术。

NOTE: We strongly recommend proper and thorough testing of any changes before configuring them in a production environment. The authors and contributors of this repository are not responsible for any breaking changes. Use as a guide at your own risk.

Contributors 贡献

Duane MichaelChris Thompson, and Garrett Foster are the primary authors of this project, with contributions from Diego Lomellini and Josh Prager.
Duane Michael、Chris Thompson 和 Garrett Foster 是该项目的主要作者,Diego Lomellini 和 Josh Prager 做出了贡献。

Please reach out to us on Twitter or join us in the #sccm channel on the BloodHoundGang Slack if you have any questions or are interested in contributing!
如果您有任何问题或有兴趣做出贡献,请在 Twitter 上与我们联系,或加入我们的 BloodHoundGang Slack #sccm 频道!

原文始发于Github:Misconfiguration Manager

版权声明:admin 发表于 2024年3月14日 上午12:47。
转载请注明:Misconfiguration Manager | CTF导航