Up is Down Black is White SCCM
Matt Nelson, Will Schroeder at BSides Boston 2016
Offense and defense overlap more often than you may think. The same tools that allow attackers to disappear into the shadows can be used to tease indicators out of the noise. Lateral movement that blends in with normal traffic can be a challenge in some environments, and this makes living 'off the land' with existing functionality even more important to attackers. At the same time, defensive analysts need to be able to gather indicators without tipping their hand to adversaries. Why not use deployed system administration tools against the very sysadmins who rely on them, and why not use existing toolsets to hunt the bad guys trying to hide in plain sight?
This presentation will cover how one common system administration tool, System Center Configuration Manager (SCCM) can be used for both good and evil. We’ll cover a detailed background on SCCM, including typical deployment scenarios and relevant security measures, before diving into how SCCM can be used as either an excellent attack platform or a powerful defensive solution. We will cover our newly developed PowerShell SCCM toolkit (PowerSCCM) in depth and how to apply it no matter which color of team you play on.
Matt Nelson (@enigma0x3) is a red teamer and penetration tester for Veris Group’s Adaptive Threat Division. He performs a variety of offensive services for a number of government and private sector clients, including advanced red team assessments. He has a passion for offensive PowerShell, is an active developer on the PowerShell Empire project, and helps build offensive toolsets to facilitate red team engagements.
Will Schroeder (@harmj0y) is security researcher and red teamer for Veris Group’s Adaptive Threat Division. He has presented at a number of security conferences including Shmoocon, Defcon, Derbycon and several Security BSides conferences (including BSides Boston!) on topics spanning AV-evasion, post-exploitation, red teaming tradecraft, and offensive PowerShell. He is a co-founder of the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a co-founder and core developer of the PowerShell post-exploitation agent Empire.
This presentation will cover how one common system administration tool, System Center Configuration Manager (SCCM) can be used for both good and evil. We’ll cover a detailed background on SCCM, including typical deployment scenarios and relevant security measures, before diving into how SCCM can be used as either an excellent attack platform or a powerful defensive solution. We will cover our newly developed PowerShell SCCM toolkit (PowerSCCM) in depth and how to apply it no matter which color of team you play on.
Matt Nelson (@enigma0x3) is a red teamer and penetration tester for Veris Group’s Adaptive Threat Division. He performs a variety of offensive services for a number of government and private sector clients, including advanced red team assessments. He has a passion for offensive PowerShell, is an active developer on the PowerShell Empire project, and helps build offensive toolsets to facilitate red team engagements.
Will Schroeder (@harmj0y) is security researcher and red teamer for Veris Group’s Adaptive Threat Division. He has presented at a number of security conferences including Shmoocon, Defcon, Derbycon and several Security BSides conferences (including BSides Boston!) on topics spanning AV-evasion, post-exploitation, red teaming tradecraft, and offensive PowerShell. He is a co-founder of the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a co-founder and core developer of the PowerShell post-exploitation agent Empire.