This article discusses the decryption of service account credentials in SCCM (System Center Configuration Manager), highlighting methods for extracting and managing these credentials, particularly in the context of untrusted forests.
Keypoints :
- SCCM forest discovery accounts can be decrypted, including those for untrusted forests.
- Service account credentials can be accessed via the Administration Service API if the site server is a managed client.
- Standard deployment credentials can be recovered using techniques from CRED-5.
- Different formats for credential storage are noted, particularly in the SC_UserAccount table.
- The forest discovery method identifies potential management boundaries by querying local and trusted forests.
- Excessive permissions have been observed in various SCCM service accounts, raising security concerns.
- The ActiveDirectoryForestDiscoveryAgent.dll is responsible for forest discovery processes and retrieval of account usernames.
- Credentials flow from the site control file (SCF) in the SCCM database, which can be accessed and potentially modified by admins.
- PowerShell cmdlets can be used to view current settings and recover account information.
- Encrypted credentials can be decrypted with existing scripts and methods outlined in CRED-5.
- The possibility to recover credentials is significant for lateral movement attacks within untrusted forests.
- Administrators are advised to adhere to the principle of least privilege and properly manage service accounts.
- Misconfigured accounts (e.g., labeled “not configured”) should be reviewed and removed if no longer in use.
- Future updates to the Misconfiguration Manager will incorporate these decryption techniques for both attackers and defenders.
- Engagement with the community continues through platforms like BloodHound Slack for exchanging SCCM best practices.
Full Story: https://posts.specterops.io/decrypting-the-forest-from-the-trees-661694ed1616?source=rss—-f05f8696e3cc—4