Skip to main content

Overview

This guide provides comprehensive defensive recommendations to protect your SCCM infrastructure against the attack techniques demonstrated by SharpSCCM and similar tools.
Microsoft’s official security best practices should be your primary reference. This guide supplements those recommendations with specific mitigations for known attack techniques.

Critical Security Controls

Priority 1: Critical Controls

Why It’s Critical: Prevents NTLM relay attacks and credential theft
1

Install KB15599094

Apply security hotfix KB15599094 to all site servers
2

Disable NTLM for Client Push

Configure client push installation to use Kerberos only
3

Require SMB Signing

Enable SMB signing on all site systems:
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Why It’s Critical: Eliminates the need for Network Access Accounts
# Enable Enhanced HTTP via PowerShell
Set-CMSite -SiteCode "PS1" -UseEnhancedHttp $true
After enabling Enhanced HTTP, disable any existing Network Access Accounts in Active Directory
Why It’s Critical: Prevents rogue device registration and man-in-the-middle attacksRequirements:
  • Deploy PKI infrastructure
  • Issue certificates to all clients
  • Configure HTTPS communication only
  • Disable HTTP communication on all site systems

Priority 2: High-Value Controls

  • Authentication
  • Network Security
  • Access Controls

Multi-Factor Authentication

Enable MFA for SMS Provider calls:
# Configure MFA for administrative access
Set-CMAdministrativeUser -Name "DOMAIN\Admin" -RequireMfa $true

Kerberos Configuration

  • Require Kerberos for all site communications
  • Disable legacy authentication protocols
  • Configure SPNs correctly for all service accounts

Priority 3: Defense in Depth

1

Disable Automatic Client Push

Replace automatic site-wide client push with software update-based installation
2

Secure PXE Boot

  • Set strong PXE boot passwords (minimum 14 characters)
  • Disable F8 debugging in production
  • Restrict PXE to specific VLANs
3

Secure Task Sequences

  • Don’t store credentials in task sequences
  • Use Windows LAPS for local admin passwords
  • Enable password encryption for Windows LAPS
4

Database Security

  • Enable EPA on SQL servers
  • Don’t link external databases with DBA privileges
  • Use strong passwords for all database accounts
  • Encrypt SQL connections

Detection & Monitoring

Key Detection Opportunities

Authentication Anomalies

  • Site system accounts authenticating from unexpected IPs
  • Client push accounts used outside primary site server
  • NAA authentication from non-distribution points

Policy Violations

  • Unusual policy requests from clients
  • Mass deployment of new applications
  • Suspicious CMPivot queries

Credential Access

  • DPAPI decryption events for SCCM
  • Access to credential-related WMI classes
  • Collection variable enumeration

Lateral Movement

  • Client push installation to sensitive systems
  • Script execution on multiple devices
  • Application deployment to admin workstations

Monitoring Rules

// KQL query for detecting suspicious SCCM activity
SecurityEvent
| where EventID in (4624, 4625, 4648)
| where (TargetUserName has "sccm" or TargetUserName has "cm_")
| where IpAddress !in ("10.0.1.10", "10.0.1.11") // Legitimate SCCM servers
| project TimeGenerated, Computer, TargetUserName, IpAddress, LogonType

Incident Response

  1. Immediate Actions
    • Reset all SCCM service account passwords
    • Revoke and reissue PKI certificates
    • Disable Network Access Accounts
    • Review recent application deployments
  2. Investigation Steps
    • Check SCCM audit logs for unauthorized changes
    • Review client push installation logs
    • Analyze SQL queries against the site database
    • Examine AdminService API access logs
  3. Remediation
    • Remove unauthorized administrators
    • Delete malicious applications/packages
    • Reset affected client configurations
    • Implement missing security controls

Security Checklist

Additional Resources

Microsoft Security Best Practices

Official SCCM security guidance

CISA Red Team Report

Real-world SCCM attack scenarios

Detection Guidance

Detailed detection opportunities
Questions? Reach out on the BloodHound Slack or create an issue on GitHub.