Microsoft #SCCM has code execution ability on #Microsoft Domains Tier-0 systems (https://lnkd.in/dy5su33y). Then let’s attack and … defend it. #TrustEverybodyButCutTheCards My highlights on attack phase: - #credentialharvesting is everywhere: locally on SCCM clients and member servers (cached credentials and log files) and a wide set of policy and scripts variables and parameters - devastating #persistance and #lateralmovement technique by creating a new application and deploy it onto targeted devices managed by SCCM - tools are available for post-exploitation without requiring access to the SCCM administration console GUI (SharpSCCM https://lnkd.in/dm73J8E5) My highlights on defense phase: - do not use special accounts like NAA or client push installation accounts - #WMI anomalies detection is essential - SCCM itself monitoring capabilities are important: SCCM does not seem to use the Windows #EventLog a lot Full article here: https://lnkd.in/dg_fu5Jd Previous posts on #ActiveDirectory #cybersecurity. - Defining Tier-0 assets in #ActiveDirectory and #AzureAD: https://lnkd.in/dy5su33y - Total #Identity Compromise: #DART lessons on securing AD #attackpath: https://lnkd.in/dM4JDxnz - “#Identity is new endpoint” and “#LeastPrivilege is the new #CVE”. #Microsoft last Cyber Signals shows it: https://lnkd.in/dJtTNDyy - Beyond “#Identity is new endpoint”, allow me to say “#Entitlement is the new #CVE”: https://lnkd.in/dsjQKkf6 - #ADFS security: https://lnkd.in/d5YY4fyx - Authentication information on #AAD can be gathered with #OSINT #enumeration: https://bit.ly/3AQLjIi - Recap of #SSO used with Azure AD #hybrididentities: same link as above! - Identity-based #attackpath in #ActiveDirectory: https://lnkd.in/dZyA49V8 - Best #guideline *ever* about #onpremise and AAD architectural #hardening: https://bit.ly/3zMY9XB - A #securityprogram point of view: https://bit.ly/3zMN3Sj (roadmap to create on-premise / Azure secure architecture) - Stories from the field about AD #attackpath: https://bit.ly/3KqzHyO - https://lnkd.in/e_xjzkAA: #top10 Microsoft AD gaps in real life - https://lnkd.in/eF_BueSe: how to create a prioritized roadmap for AD security with #BloodHound support - https://lnkd.in/dAZm-Jdc: ImproHound to identify the attack paths in BloodHound breaking your AD tiering - https://lnkd.in/dm8FACUV: BloodHound to detect critical AD config errors - https://lnkd.in/duCJ2hwW: BloodHound for #MicrosoftWindows Domain hardening - https://lnkd.in/dhJVkKx9: Attackers think in graphs and BloodHound too - https://lnkd.in/ddBBz7ji: BloodHound for #hunting vulnerabilities and #security misconfigurations in AD - Practice usual #attack techniques on a a vulnerable AD environement with GOAD (Game Of D>): https://bit.ly/3ToiPgb Content Credit: Francesco Faenzi