SCCM (System Center Configuration Manager) and Incident Response

Have you ever heard of SCCM?


You probably know what I am going to talk about.


Well, you are going to like it.

It’s been a few years since I discovered this gem and successfully used it for Incident Response work.

Cutting long story short, SCCM (System Center Configuration Manager) is a a configuration platform that helps to manage large networks of computers. On top of typical admin tasks, it also can regularly gather information from the systems including very interesting artifacts e.g. file lists.

Now you know where this post is heading.

Having a database of artifacts from the system, a snapshot, if you will gives the company a very powerful tool for both individual system analysis and a global view of all the files stored across the company (when I say ‘all’ here, it usually means a subset, e.g. .exe; this is due to performance hit and database size limitations; talk to your SCCM admin guys to find out what you have).

So, what potentially can you do then with SCCM?

Let me list a few interesting properties of this system:

  • You get a snapshot of ‘all’ file systems across the company.
  • This snapshot is updated continuously (with a specific interval e.g. every day).
  • You can query it using customizable reports that show both specific files, systems, and lots more.
  • The whole thing is backed by the MS SQL engine, so you can even talk to it in SQL.

Accessing SCCM gives the IR folk many opportunities to access very interesting data useful for a daily IR work; to give you a couple of ideas, let’s run through a couple of scenarios one can utilize SCCM for:

  • A daily reporting looking for specific file names f.ex.:
    • known hacking tool names
    • suspicious file names e.g. including common keywords from spam campaigns like ‘invoice’ or ‘payment’, etc.
    • double file extensions e.g. jpg.exe
    • ‘funny’ tools installed by employees
    • etc.
  • If you connect directly to the SCCM database you can do cross-referencing and lookg for anomalies across systems (note that this requires some deep thinking first as the DB is constantly utilized by the system and any large query will not only piss the admins off, but simply bring the system down).
  • You can use it to automatically remove files.
  • The snapshot offers yet another way to look at the system artifacts which are preserved in a separate location; if we are lucky, it’s possible it may list files that have been already deleted from the system and this way offer some insight in attackers’ doing or provide clues for further analysis – it complements the file listing acquired either through live or offline analysis
  • Remember that this is data which is already gathered anyway, so the cost is null. Okay, it may cost you a beer that you will buy me one day 🙂

Well, that’s it. If you don’t use SCCM yet you better have a good chat with your admins. The chances are that you may actually start using it on regular basis and generate a series of ‘quick wins’ which will not only please your bosses, but more importantly – improve the security of your company.