Up is Down, Black is White: Using SCCM for Wrong and Right

No ratings

Presented at bsidesboston 2016 by

Will Schroeder

Matt Nelson

Offense and defense overlap more often than you may think. The same tools that allow attackers to disappear into the shadows can be used to tease indicators out of the noise. Lateral movement that blends in with normal traffic can be a challenge in some environments, and this makes living 'off the land' with existing functionality even more important to attackers. At the same time, defensive analysts need to be able to gather indicators without tipping their hand to adversaries. Why not use deployed system administration tools against the very sysadmins who rely on them, and why not use existing toolsets to hunt the bad guys trying to hide in plain sight? This presentation will cover how one common system administration tool, System Center Configuration Manager (SCCM) can be used for both good and evil. We’ll cover a detailed background on SCCM, including typical deployment scenarios and relevant security measures, before diving into how SCCM can be used as either an excellent attack platform or a powerful defensive solution. We will cover our newly developed PowerShell SCCM toolkit (PowerSCCM) in depth and how to apply it no matter which color of team you play on.