Christopher Panayi - Pulling Passwords out of Configuration Manager: Practical Attacks against Microsoft's Endpoint Management Software

Christopher Panayi, Chief Research Officer, MWR CyberSec, He/Him

Presentation Title: Pulling Passwords out of Configuration Manager: Practical Attacks against Microsoft's Endpoint Management Software
Length of presentation: 45 Minutes
DEMO, Tool


System Center Configuration Manager, now Microsoft Endpoint Configuration Manager (MECM), is a software management product that has been widely adopted by large organizations to deploy, update, and manage software; it is commonly responsible for the deployment and management of the majority of server and workstation machines in enterprise Windows environments.

This talk will provide an outline of how MECM is used to deploy machines into enterprise environments (typically through network booting, although it supports various Operating System deployment techniques), and will explore attacks that allow Active Directory credentials to be extracted from this process. The common MECM misconfigurations leading to these attacks will be detailed and, in so doing, the talk will aim to show how to identify and exploit these misconfigurations and how to defend against these attacks. Each viable attack will be discussed in depth (mostly by discussing the protocols and architecture in use, but sometimes by diving into relevant code, if necessary) so that the context of how and why the attack works will be understood. These concepts will be illustrated through the demo and release of a tool that allows for the extraction of credentials from several of the onsite deployment techniques that MECM supports.


Christopher is the Chief Research Officer at MWR CyberSec (, having previously led cyber-defense, red team, and targeted attack simulation (TAS) engagements for several years, as well as having designed and help run the in-house training programme for security consultants at MWR. As part of this work, a major focus area for him had been understanding attack techniques impacting Active Directory (AD); this led to publications such as: a discussion of practical ways to perform pass-the-hash attacks ( and a discussion of the previous gold standard in AD security, the red forest, and why it did not meet its goal of making environments more secure in many cases ( His interest in how things work at a deep technical level - and desire to develop an understanding of how to use this information to compromise and secure systems and environments - has led him to his current focus, investigating and understanding Microsoft Endpoint Configuration Manager, how it interacts with AD, and how to abuse its configuration to attack enterprise environments.



1. - A useful outline of some types of PXE attacks not covered in my talk, but also not MECM specific
2. - Describes a technique to print out all WinPE environment variables inside a booted environment; I used this when first exploiting and exploring the issues my talk highlights
3. - This page details many of the attacks that are possible against MECM Operating System Deployment (OSD) techniques. It is quite comprehensive, so clearly the designers and coders had thought about potential attacks, but the practical guidance given here and elsewhere is not translating into clients configuring their environments correctly
4. - A page describing the correct permissions for MECM accounts as provided by Microsoft
5. - Page detailing the MECM supported methods for doing OS Deployment. If vulnerable, PXE-initiated deployments and deployments with media are known to be exploitable with the techniques and tooling detailed in the talk (although some deployment methods may require prerequisites to be met first)

The most useful references were the Microsoft documentation, as it describes many of the security assumptions made by the developers of MECM.