Sccm — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/sccm/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jul 2024 10:00:00 +0000Potential Windows Session Hijacking via CcmExechttps://feed.craftedsignal.io/briefs/2024-07-sccm-dll-hijacking/Wed, 03 Jul 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-07-sccm-dll-hijacking/Adversaries may exploit Microsoft's System Center Configuration Manager by loading malicious DLLs into SCNotification.exe, a process associated with user notifications, potentially leading to Windows session hijacking.Attackers may attempt to hijack Windows user sessions by exploiting Microsoft’s System Center Configuration Manager (SCCM). This involves loading malicious DLLs into SCNotification.exe, a process responsible for user notifications within the SCCM framework. The vulnerability arises when SCNotification.exe loads untrusted DLLs, potentially impersonating a user session. This activity is often characterized by recent DLL file creation or modification, coupled with the DLL lacking a trusted code signature. The references indicate this technique has been discussed publicly, raising awareness and the potential for increased exploitation.

Attack Chain

  1. Attacker gains initial access to the target system.
  2. Attacker places a malicious DLL on the system. This DLL may be disguised to appear legitimate.
  3. The attacker manipulates the system to cause SCNotification.exe to load the malicious DLL. This may involve modifying registry keys or file paths.
  4. SCNotification.exe loads the attacker-controlled DLL.
  5. The malicious DLL executes within the context of the SCNotification.exe process.
  6. The attacker leverages the hijacked process to impersonate a user session.
  7. Attacker gains unauthorized access to user accounts and data.
  8. Attacker performs malicious actions under the guise of the compromised user, such as data exfiltration or privilege escalation.

Impact

A successful attack could lead to unauthorized access to sensitive data, privilege escalation, and further compromise of the network. Victims could experience data breaches, financial loss, or reputational damage. The impact depends on the extent of access gained by the attacker and the sensitivity of the data accessed.

Recommendation

  • Deploy the Sigma rule “Potential Windows Session Hijacking via CcmExec” to your SIEM to detect suspicious DLL loads by SCNotification.exe.
  • Investigate alerts triggered by the Sigma rule, focusing on DLLs with recent file creation times or modifications (DLL timestamps) and untrusted signatures.
  • Implement application whitelisting to prevent unauthorized DLLs from being loaded by SCNotification.exe as described in the remediation steps in the note section.
  • Monitor process creation events for SCNotification.exe and related processes.
  • Enable Sysmon process creation logging to enhance visibility into process execution events, which activates the Sigma rules above.
]]>mediumadvisorydefense-evasiondll-hijackingsccm