The Admin's Guide to Preventing SCCM Attacks | SO-CON 2025

Presented by Chris Thompson and Garrett Foster. Microsoft Configuration Manager (formerly SCCM) is a powerful target for adversaries due to its ability to execute arbitrary programs and scripts on any client device but is too often overlooked for its role in security. In many organizations, SCCM was deployed long, long ago by someone long gone and has changed hands as employees come and go and roles shift. This increases the likelihood that unknown, abusable misconfigurations have been lurking in these environments for years. In this session, we'll provide high-level overviews and demos of the most common misconfiguration abuses and Attack Paths in SCCM, then show you step-by-step how to fix them. This means fewer pentest findings—or worse, security breaches involving SCCM—for you to deal with. Attendees are encouraged to have a foundational understanding of SCCM concepts and attack techniques - such as those covered in our SO-CON talk last year: https://www.youtube.com/watch?v=nvaOszFzXCQ - as this session will focus primarily on implementing preventative controls to counter them. Slides: https://github.com/SpecterOps/presentations/tree/main/SO-CON%202025/Chris%20Thompson%20and%20Garrett%20Foster%20-%20The%20Admin's%20Guide%20to%20Preventing%20SCCM%20Attacks SO-CON: https://specterops.io/so-con This talk was recorded on Monday, March 31, 2025 at SO-CON 2025.