SCCM is a critical infrastructure component used in many corporate environments for centralized software deployment, patching, and endpoint configuration. But what happens when attackers turn this powerful tool against you?
In this talk, we’ll explore SCCM from the perspective of both defenders and adversaries. We’ll explain its architecture, key components, and why it represents such an attractive target for attackers aiming for domain-wide persistence, privilege escalation, and lateral movement. We’ll demonstrate how SCCM can be abused as a stealthy Command & Control (C2) channel and examine real-world techniques used to compromise both SCCM servers and clients.
The presentation will also cover detection and monitoring strategies tailored for SCCM, including event logging, behavioral indicators, and configuration weaknesses. We'll share our practical experience, tools, and methods that can help you proactively secure and audit this often-overlooked service.