SCOM Security Concerns

Hello World,

SCOM (System Center Operations Manager) was my baby operating system for years. as such i learned a lot about how it works and how do i make it better. 

I learned how to extract Account information with internal scripts and how to use SCOM to move files to DMZ closed environments and work-groups.

But nothing prepared me to the next big thing:

Yes, its what it says in the title.

A group named NCC Group Plc did an amazing job and made reverse engineering to the SCOM run-as accounts.

Making story short and giving a very big credit to the group i will make a very short explanation on what they did:

Using a small PowerShell script or build an EXE file you can run simple commands against your SCOM server and extract all of the runs as accounts passwords.

Those are the steps in short:

● Calls the SecureStorageManager.Initialize() method and reads in the encrypted RSA private key value stored at: “SOFTWARE\\Microsoft\\System Center\\2010\\Common\\MOMBins”
● Queries the dbo.MachineKey table to retrieve the following 
● Decrypts the private key using DPAPI.
● The private key is used to decrypt the masterKey and masterIV
● The masterKey and masterIV are used to decrypt the credential data using AES 256.

from hear to there running the PowerShell will do this:

powershell-import C:\path\to\SCOMDecrypt.ps1
 powershell Invoke-SCOMDecrypt
 [+] bobsudo:H a c k T h e P l a n e t
 [+] administrator:W i n t e r 2 0 1 5 !
 [+] alice:P a s s w 0 r d 1 2 3 !

Add a Comment

Your email address will not be published.