No announcement yet.

SharpSCCM - Chris Thompson, Duane Michael

  • Filter
  • Time
  • Show
Clear All
new posts

  • SharpSCCM - Chris Thompson, Duane Michael

    SharpSCCM - Chris Thompson, Duane Michael
    Post-exploitation tool for lateral movement froma C2 agent.


    Chris Thompson, Duane Michael

    SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for lateral movement from a C2 agent without requiring access to the SCCM administration console. SharpSCCM supports lateral movement functions ported from PowerSCCM and contains additional functionality to abuse newly discovered attack primitives for coercing NTLM authentication from local administrator and SCCM site server machine accounts in environments where automatic client push installation is enabled. SharpSCCM can also dump information about the SCCM environment from a client, including domain credentials for Network Access Accounts. Further, with access to an SCCM administrator account, operators of SharpSCCM can execute code as SYSTEM or coerce NTLM authentication from the currently logged-in user or the machine account on any SCCM client.

    Chris is a senior consultant on SpecterOps’s adversary simulation team and has over ten years of experience in information security, serving numerous Fortune 500 clients in the retail, consumer products, financial, and telecom industries. He has extensive experience leading network, web application, and wireless penetration tests, social engineering engagements, and technical security assessments to provide actionable recommendations that align with each organization's security strategy and risk tolerance. Chris enjoys researching and applying new tradecraft to overcome technical challenges and writing tools that automate tasks and improve efficiency.

    Duane is a senior consultant on SpecterOps's adversary simulation team, where he conducts advanced red team exercises and instructs courses on red team operations and vulnerability research. He has over ten years of experience in information security, with a deep curiosity for researching Windows, its internals, and related technologies. Duane strives to demystify tradecraft for clients through both an offensive and defensive lens, an activity he has performed for numerous Fortune 100 clients.

  • #2
    Here are the slides for our talks! Thanks for coming! Let us know if you have any questions and we'd be happy to chat here or on Twitter @_Mayyhem and @subat0mik!