ioc[.]one - OSINT Cyber Threat Intelligence Database

SCCM Site Takeover via Automatic Client Push Installation

Tags

attack-pattern:

Credentials - T1589.001 Device Registration - T1098.005 Server - T1583.004 Server - T1584.004 Software - T1592.002 Connection Proxy - T1090

Show in Graph

Common Information

Type	Value
UUID	0ce98311-26dc-47af-89cd-9d83a94e5c86
Fingerprint	f508eddb71a3efc4
Analysis status	DONE
Considered CTI value	0
Text language
Published	Jan. 19, 2023, 2:52 p.m.
Added to db	April 3, 2023, 12:30 p.m.
Last updated	Nov. 18, 2024, 8:27 a.m.
Headline	SCCM Site Takeover via Automatic Client Push Installation
Title	SCCM Site Takeover via Automatic Client Push Installation
Detected Hints/Tags/Attributes	37/1/12

Source URLs

	Redirection	Url
Details	Source	https://medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Fposts.specterops.io%2Fsccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1%3Fsource%3Drss----f05f8696e3cc---4
Details	Redirection	https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1?gi=896256ae6dcb&source=rss----f05f8696e3cc---4
Details	Redirection	https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1?gi=8cd36b180745&source=rss----f05f8696e3cc---4
Details	Redirection	https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1?gi=aba6aada1740&source=rss----f05f8696e3cc---4
Details	Redirection	https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1?gi=e7c0e177fee0&source=rss----f05f8696e3cc---4
Details	Redirection	https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1?gi=fdd36c8f6e02&source=rss----f05f8696e3cc---4
Details	Redirection	https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1?gi=f7ea7009edb1&source=rss----f05f8696e3cc---4
Details	Redirection	https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1?source=rss----f05f8696e3cc---4

URL Provider

Details	Provider	Source level domain
Details	medium.com	medium.com
Details	specterops.io	posts.specterops.io

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	196	✔	Posts By SpecterOps Team Members - Medium	https://posts.specterops.io/feed	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	3		libproxychains.so
Details	Domain	26		posts.specterops.io
Details	File	1		sharpsccm.exe
Details	IPv4	1		192.168.57.50
Details	IPv4	1		192.168.57.51
Details	IPv4	3		192.168.57.100
Details	IPv4	1		192.168.57.101
Details	IPv4	1		192.168.57.130
Details	IPv4	1442		127.0.0.1
Details	Microsoft Patch Numbers	1		KB15599094
Details	Url	1		https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867
Details	Url	1		https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a.