Keypoints
- CcmExec.exe spawns SCNotification.exe for each interactive user session on SCCM clients, and SCNotification.exe is a .NET application with a corresponding .config file.
- AppDomainManager injection via an application’s .config can force a .NET runtime to load a malicious DLL and execute attacker code inside the application’s process.
- Attack steps: upload a malicious DLL, modify C:WindowsCCMSCNotification.exe.config to reference the DLL/AppDomainManager, then restart the CcmExec service to trigger execution in every logged-in session.
- CcmPwn (built on Impacket) automates the above with an exec module (uploads DLL+config, restarts CcmExec, restores original config) and a coerce module (points SCNotification.exe to an attacker file share to force SMB/HTTP auth).
- The exec module has been used to spawn Cobalt Strike beacons in every hijacked session; the coerce module captures coerced authentication attempts (e.g., NetNTLM hashes) without requiring a DLL.
- Detection opportunities include monitoring SCNotification.exe .config changes, the presence of the “AppDomainManagerType” config string, service stop/start events for CcmExec, and .NET runtime errors (Event ID 1026) when remote DLLs are unreachable.
MITRE Techniques
- [T1574] Hijack Execution Flow – AppDomainManager injection described as ‘AppDomainManager injection, a loader hijacking technique used by attackers to execute arbitrary code within a .NET application.’
- [T1105] Ingress Tool Transfer – Uploading a malicious DLL to the target system is noted: ‘Upload a malicious DLL to the target system’ to execute AppDomainManager code.
- [T1543.003] Create or Modify System Process: Windows Service – Changing SCNotification.exe.config and restarting CcmExec to force execution: ‘Modify the SCNotification.exe.config configuration file… Restart the CcmExec service’.
- [T1187] Forced Authentication – Coercing SMB/HTTP authentication for every logged-in user via the coerce module: ‘coerces an SMB or HTTP authentication request for every logged-in user.’
- [T1071.001] Application Layer Protocol: Web Protocols – Use of Cobalt Strike beacons as post-compromise C2 channels: ‘provided us with Cobalt Strike beacons for the hijacked sessions.’
Indicators of Compromise
- [File Name / Path] SCCM client binaries and config – C:WindowsCCMSCNotification.exe, C:WindowsCCMSCNotification.exe.config (modified to reference malicious DLL)
- [File Name] Service executable – CcmExec.exe (parent process spawning SCNotification.exe for each interactive session)
- [Configuration String] .NET config key – ‘AppDomainManagerType’ present in SCNotification.exe.config (used to load attacker AppDomainManager)
- [Tool / Implant] Offensive tooling observed – CcmPwn (exec and coerce modules), Impacket library, and resulting Cobalt Strike beacons
- [Event IDs / Log Context] Detection artifacts – Event ID 1026 (.NET runtime errors) and Event ID 7036 (service stop/start) correlated with network logon type 3
AppDomainManager injection abuses the .NET runtime’s app domain initialization by specifying a custom AppDomainManager in an application’s .config. To weaponize this against SCCM clients, place a malicious DLL implementing a custom AppDomainManager on the endpoint, update C:WindowsCCMSCNotification.exe.config to reference the DLL and AppDomainManagerType, then restart the CcmExec service so SCNotification.exe is launched under each interactive session and executes the attacker’s code in those user contexts.
CcmPwn automates both the DLL-based path and a non-DLL forced-authentication path. The exec module uploads the custom .config and DLL, restarts CcmExec, and restores the original config after execution (used to spawn Cobalt Strike beacons in each session). The coerce module instead points SCNotification.exe to load from an attacker-controlled file share, causing SCNotification.exe to attempt remote loads and thereby coerce SMB/HTTP authentications (useful for capturing NetNTLM hashes or relaying) without needing a local DLL.
Operationally, implement the steps as: transfer the payload (T1105), modify SCNotification.exe.config to include appDomainManagerAssembly/appDomainManagerType, trigger the service restart to execute across sessions (T1543.003), and optionally collect coerced authentications (T1187). Post-exploitation actions typically use Cobalt Strike or similar C2 channels (T1071). Read more: https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec/