MITRE ATT&CK TTPs
- TA0007 - Discovery
Requirements
- Valid Active Directory domain credentials
Summary
When a primary site server is installed, an entry of “SOFTWARE\Microsoft\SMS” is created in the “Computer Config -> Security Settings -> Local Policies -> Security Options -> Network Access: Remotely Accessible Registry Paths and Sub-Paths” in local group policy. On systems hosting the distribution point role, “SOFTWARE\Microsoft\SMS\DP” is exposed by the remote registry service. This security setting determines which registry paths and sub-paths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. This registry key and sub keys contain information about the current site server and other site servers within the hierarchy. Enumerating this registry key and sub keys on a primary site server and distribution point contributes to attack path discovery.Impact
- Profiling site system roles is a supplementary step in building potential attack paths
- A resolved DP role can be a target for PXE abuse to recover domain credentials detailed in CRED-1
- A resolved DP role can be a target for sensitive information hunting in the Content Library
- A resolved MP role can be a target for spoofing client enrollment CRED-2
- A resolved MP site system role can be used to elevate privileges via credential relay attacks ELEVATE-1
- A resolved Site Database role can be a target for lateral movement or privilege escalation detailed in TAKEOVER-1
Defensive IDs
- DETECT-8: Monitor connections to winreg named pipe
- PREVENT-20: Block unnecessary connections to site systems
Examples
Use pssrecon to enumerate a primary site server or distribution point over winreg. Primary Site Server:References
- Dylan Bradley, pssrecon
- Tomas Rzepka, Looting Microsoft Configuration Manager
- Microsoft, Network Access: Remotely Accessible Registry Paths and Sub-Paths