Summary
An attacker enumerate SCCM infrastructure by locally accessing SCCM logs on a compromised client. By default, all SCCM-enrolled clients will have specific directories associated to SCCM:C:\Windows\CCMCACHEC:\Windows\CCMSETUPC:\Windows\CCM\Logs
C:\Windows\CCM file path is readable by non-administrators by default. From the logs located within this file path, attackers can enumerate details about SCCM infrastructure hostnames, deployments, and other details.
From a tradecraft perspective, offensive operators would only need to review the files from within the file browser of the C2, making this method of enumeration one of the most evasive from the perspective of default telemetry generation.
Additionally, the registry key/value of HKLM:\SOFTWARE\Microsoft\SMS\DP\ManagementPoints will enumerate the Distribution Points and Management Points for that particular SCCM-enrolled client.
By default, most forms of telemetry will not generate an event for file access or registry key/value queries. Defenders can generate custom auditing on these default file/registry locations and identify anomalous process and users accessing the files via a SACL set on the locations.
The following is an example of a SACL set on the C:\Windows\CCM\Logs\* file path:
HKLM:\SOFTWARE\Microsoft\SMS\DP registry key/values:
Associated Offensive IDs
References
- Chris Thompson, SharpSCCM
- Josh Prager & Nico Shyne, Domain Persistence: Detection Triage and Recovery, https://github.com/bouj33boy/Domain-Persistence-Detection-Triage-and-Recovery-SO-CON-2024