CcmPwn: leverages the CcmExec service to remotely hijack user sessions
CcmPwn
ccmpwn.py – lateral movement script that leverages the CcmExec service to remotely hijack user sessions.
Explanation
System Center Configuration Manager (SCCM) clients make use of the CcmExec service, which initiates the execution of C:\Windows\CCM\SCNotification.exe for every logged-in user. Leveraging the fact that SCNotification.exe is a .NET application, red team operators could modify its configuration file (C:\Windows\CCM\SCNotification.exe.config) to execute an AppDomainManager payload or coerce authentications as the affected users. This technique provides operators with an alternative approach to credential dumping or process injection. Operators must have local administrator privileges on the target system.
Read more about this technique and defense recommendations at SeeSeeYouExec: Windows Session Hijacking via CcmExec.
Install
git clone https://github.com/mandiant/ccmpwn.git
pip3 install impacket
Use
ccmpwn.py can perform the following actions:
- exec – execute an AppDomainManager payload for every logged-in user. Specify your -dll and malicious -config to upload to the target
- coerce – coerce smb or http authentication for every logged-in user (-method). Specify computer for users to authenticate to -computer
- query – query logged-in users via WMI
- status – query CcmExec service status
Copyright (C) 2024 mandiant
Source: https://github.com/mandiant/
