Research Exposes Security Risks in Microsoft SCOM Monitoring Tool

The video presents research by Matt Johnson and Garrett Foster from SpecterOps on Microsoft System Center Operations Manager (SCOM), a monitoring tool originating in 1999 as 'Windows NT Event Tree' and later acquired by Microsoft. The talk details SCOM’s architecture, including a management server, operational database (7-day data retention), and data warehouse (up to 412 days), with agents monitoring Windows, Linux, and Layer 2/3 devices. Attack techniques demonstrated include NTLM relay attacks exploiting the Data Access Service (defaulted to Local System) to escalate privileges by adding arbitrary users to the SCOM administrators group via SQL queries. The researchers also reverse-engineered SCOM’s agent enrollment process, uncovering methods to extract 'Run As' credentials—often overprovisioned (e.g., 300 domain admin accounts)—using tools like SharpSCOM and custom Kerberos SSPI-based clients. Manual agent enrollment via port 5723 was shown to bypass strict firewall rules, while default configurations allowing automatic approval of agents were highlighted as a security risk. The presentation concluded with defensive recommendations, treating SCOM-managed assets as 'Tier 0,' and referenced a two-part blog series releasing tools like SharpSCOM and SCOMHound.