SeeSeeYouExec: Windows Session Hijacking via CcmExec
Google News, Thursday, March 28th, 2024
Over the last several years, the security community has witnessed an uptick in System Center Configuration Manager (SCCM)-related attacks. From extracting network access account (NAA) credentials to deploying malicious applications to targeted devices, SCCM attacks have aided in accomplishing complex objectives and evading existing detections.
Mandiant's Red Team has utilized SCCM technology to perform novel attacks against mature clients where conventional methodology was not possible. One such SCCM attack is introduced in this blog post.
There was a time when red teamers with elevated privileges on a Windows system could effortlessly inject shellcode into an unsuspecting user's processes. This allowed red teamers to carry out post-exploitation activities within that new process, such as keylogging or accessing LDAP as the affected user. However, as endpoint detection and response (EDR) systems have improved, remote process injection has turned into a risky operation, pushing red teamers to seek alternative methods to hijack a user's session.