Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Threat actors can use Microsoft SCCM misconfigs for cyber attacks
Four attacking methods could impact your SCCM
2 min. read
Published onMarch 12, 2024
published onMarch 12, 2024
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
Researchers discovered that a misconfigured Microsoft Configuration Manager (SCCM) can lead to security vulnerabilities. Thus, a threat actor can use this opportunity for cyber attacks, such as payloads, or to become a domain controller. In addition, the SCCM works in many Active Directories. Furthermore, it helps admins manage workstations and servers on Windows networks.
During theSO-CON security conference, SpecterOps announced their repository with attacks based onfaulty SCCM configurations. Also, you can check it out by visiting their GitHubMisconfiguration Manager page. Additionally, their research is a bit different from others because they include penetration testing, red team operations, and security research.
What is SCCM?
SCCM stands for System Center Configuration Manager, and you might know it as Configuration Manager or MCM. Furthermore, you can use the MCM tool to manage, secure, anddeploy devices and applications. However, the SCCM is not easy to set up. On top of that, the default configurations lead to security vulnerabilities.
The attackers can gain control over your domain by exploiting your SCCM security vulnerabilities. After all,according to researchers, cybercriminals can use your network access accounts (NAA) if they use too many privileges.
Also, an unknowing or novice administrator could use the same account for all of the things. As a result, this might lead to decreased security across devices. Furthermore, someMCM sitescould use domain controllers. Thus, they might lead to remote code control, especially if the hierarchy is not in order.
Depending on the environment, an attacker could use four different attacking methods. The first method can allow access to credentials (CRED). The second attack can elevate privileges (ELEVATE). The third one can perform reconnaissance and discovery (Recon), and the final one gains control over the SCCM hierarchy (TAKEOVER).
Ultimately, you should properly manage your SCCM and verify if the hierarchy is in order. Also, there are three ways in which you can defend yourself. The first method is to prevent attacks by strengthening your MCM configurations to impact the attack technique (PREVENT).
The second method is to monitor your logs for suspicious activities and to use intrusion detection systems (DETECT). Afterward, the third method is to plant fake configuration settings and embed hidden data (CANARY).
What are your thoughts? Were you aware of this security vulnerability? Let us know in the comments.
More about the topics:Cybersecurity,microsoft
Sebastian Filipoiu
Sebastian is a content writer with a desire to learn everything new about AI and gaming. So, he spends his time writing prompts on various LLMs to understand them better. Additionally, Sebastian has experience fixing performance-related problems in video games and knows his way around Windows. Also, he is interested in anything related to quantum technology and becomes a research freak when he wants to learn more.
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Sebastian Filipoiu
Sebastian is a content writer with a desire to learn everything new about AI and gaming.
