Based on KEVIntel honeypot logs and Mandiant report, I believe this is potentially the CVE-2026-35273 chain used, but not 100% on all details. 1 Attacker sends POST /PSEMHUB/hub with environment-management actions (updateEnvironment, fetchEnvironment, syncEnvironment) and a attacker-controlled sourceURL (http://attacker_ip:9999/hub_update). 1.1 The hub fetches and processes environment metadata/updates from attacker-controlled sourceURL. 1.2 Malicious content is staged on disk under PSEMHUB.war/envmetadata/ (transactions, environment XML). 1.3 RCE follows when that content is processed. Mandiant observed XMLDecoder abuse via envmetadata/data/environment/*.xml on app restart, plus unexpected .jsp webshells. 2. Integration Broker SSRF. POST /PSIGW/HttpListeningConnector with sourceURL targets including: - WebLogic admin console (127[.]0.0.1:7001/console) - Internal PeopleSoft services (127[.]0.0.1:51500/pspc/services/AdminService) - Cloud metadata endpoint (169[.]254.169.254)

Based on KEVIntel honeypot logs and Mandiant report, I believe this is the CVE-2026-35273 chain used, but not 100% on all details. 1 Attacker sends POST /PSEMHUB/hub with environment-management actions (updateEnvironment, fetchEnvironment, syncEnvironment) and a attacker-controlled remote sourceURL (http://attacker_ip:9999/hub_update). 1.1 The hub fetches and processes environment metadata/updates from remote attacker-controlled sourceURL. 1.2 Malicious content is staged on disk under PSEMHUB.war/envmetadata/ (transactions, environment XML). 1.3 RCE follows when that content is processed. Mandiant observed XMLDecoder abuse via envmetadata/data/environment/*.xml on app restart, plus unexpected .jsp webshells. 2. Integration Broker SSRF. POST /PSIGW/HttpListeningConnector with sourceURL targets including: - WebLogic admin console (127[.]0.0.1:7001/console) - Internal PeopleSoft services (127[.]0.0.1:51500/pspc/services/AdminService) - Cloud metadata endpoint (169[.]254.169.254)

Based on KEVIntel honeypot logs and Mandiant report, I believe this is the chain used, but not 100% on all details: 1 Attacker sends POST /PSEMHUB/hub with environment-management actions (updateEnvironment, fetchEnvironment, syncEnvironment) and a attacker-controlled sourceURL (http://attacker_ip:9999/hub_update). 1.1 The hub fetches and processes environment metadata/updates from attacker-controlled sourceURL. 1.2 Malicious content is staged on disk under PSEMHUB.war/envmetadata/ (transactions, environment XML). 1.3 RCE follows when that content is processed. Mandiant observed XMLDecoder abuse via envmetadata/data/environment/*.xml on app restart, plus unexpected .jsp webshells. 2. Integration Broker SSRF. POST /PSIGW/HttpListeningConnector with sourceURL targets including: - WebLogic admin console (127[.]0.0.1:7001/console) - Internal PeopleSoft services (127[.]0.0.1:51500/pspc/services/AdminService) - Cloud metadata endpoint (169[.]254.169.254)

Windows認証のリフレクション攻撃を防ぐCVE-2025-33073のパッチを、Unicode文字の正規化のずれを突いて完全に迂回する新手法が公開されています。リフレクション攻撃とは、被害者に発行させた認証情報を被害者自身のサービスへ折り返してログインを成立させる手口。攻撃者はSMBサーバー名の一部を見た目が似た別のUnicode文字に置き換えるだけで、ドメインユーザー権限から標的マシンでSYSTEM権限のリモートコード実行(RCE)に到達できたとのこと。 Windowsの文字列比較には大文字小文字や全角半角の違いを無視する仕組みがあり、AD側のSPN検索で使われる条件では「R」と「Ⓡ」のような見た目が似たUnicode文字も同じ名前として扱われるとの指摘。 ドメインコントローラのSPN検索側はこの無視を効かせて比較するため、正規マシン向けの認証チケットが発行される。一方、被害者側で「自分宛か」を判定する処理は別経路で行われ、無視の効きが弱いため別の名前と認識されるとのこと。攻撃者はこの非対称性を悪用し、自機宛と気付かれないまま攻撃者の制御するサーバへDNS問い合わせを誘導できると報告されています。 【要点の整理】 ・SPN検索側はLCMapStringEx関数のソートキー比較で「SRV1」と「SⓇV1」を同一視するため、「CIFS/SⓇV1」へのチケット要求でも正規SRV1$向けのサービスチケットが返ってくるとのこと。一方DNSレコード追加時にも同じソートキーで重複チェックされるため、ホスト名のみの置換では新規DNS登録に弾かれる仕様 ・ここでFQDN中のドットをU 2024に置換すると、DNS側は既存レコードと衝突せず登録でき、SPN側は既存と同じソートキーに一致する両立が説明。被害者側DnsCacheの自機判定はCompareStringWに大文字小文字無視のみを指定した別経路の比較で、丸R記号は別文字、Unicodeドットは同一と扱う非対称が攻撃成立の焦点 ・関連CVEは3つ。CVE-2026-24294はPart 1で扱った任意TCPポートのSMBマウント悪用LPE。本Part 2の新手法は2025年10月にMSRCへ報告した直後、別研究由来のCVE-2025-58726が10月パッチで修正され、RCE経路は意図せず塞がれたとのこと。著者らは攻撃者シェルから自機内へ認証を折り返す構成でLPEに転換し、CVE-2026-26128として2026年3月パッチで修正済み ・SMB以外でも、Kerberosを受け付けつつ通信完全性を強制しないサービスは依然として標的になりうると指摘。代表例がAD CS(証明書発行基盤)のWeb登録サービスとSCCM(Microsoftの端末管理基盤)のAdminServiceで、後者はバージョン2509でNTLMリレー拒否を導入したものの、本記事のKerberos認証強制の手口で標準ユーザー権限から再び侵害可能と報告。推奨対策はSMB署名強制、MSSQLのチャネルバインディング強制、AdminServiceへのネットワークアクセス制限、認証強制に使われるRPC呼び出しの制限 ・Windowsサービス側で通信の完全性が既定で強制されない限り、認証リフレクション・リレー攻撃は別のサービスを経由して残り続けるとの結論。 詳細は以下を参照: synacktiv.com/en/publication…

Love how quick Claude is at generating mocks to dev against. In this case generating a quick mock AdminService HTTP service for testing changes for @unsigned_sh0rt SCCMHunter... Saves spinning up a full lab for POCing changes.

Can you try to run the Invoke-CMApplyDriverPackage.ps1 from WinPE, specifying the AdminService as the endpoint. Failed when I tested. Use the -Debug switch if testing in VMs.

Adminservice supports kerberos, use UPN when setting username/password variables and it will work again.

Nah, going to legacy driver management as a workaround… Still using the MDM tool to create wim-based driver packages, but change how the TS picks them since the AdminService can’t be used.

CVE-2025-59501 - POC that abuses SCCM's AdminService API when Entra ID integration is enabled to elevate to Full Administrator and takeover an SCCM hierarchy. - @unsigned_sh0rt github.com/garrettfoster13/C…

SCCM’s AdminService uses Entra tokens without confirming the UPN exists in AD. A crafted synced UPN can let an attacker impersonate the site server. Microsoft now requires on-prem SID matching (CVE-2025-59501). Great deep dive by @unsigned_sh0rt! ghst.ly/43wTzLx

É que eu prefiro usar folder-by-feature do que usar folder-by-type. Ex: /admin adminService adminType adminModel /users userService userType userModel ao invés de /models /admin adminModel /user userModel /services /admin adminService /user userService

Invisible hands, unstoppable progress! MyTasker's Admin Service keeps your operations running smoothly while you focus on what matters most—growth! Ready to level up? Reach out to us at: info@mytasker.com #AdminService #BusinessGrowth #Efficiency #VirtualAssistant #ProductivityBoost #BusinessSuccess #DelegateToElevate #ScaleYourBusiness #MyTasker

Laravel 12 Multi Vendor Tutorial #8 | Create AdminService for Admin Login and Other Admin Functions youtube.com/watch?v=dg55w2wX… #Laravel12 #PHP #WebDevelopment #Ecommerce #LaravelTutorial #Laravel12Tutorial

I have some stuff I wrote a while back that doesn’t Gather with PowerShell in the TS. It’s not fancy and doesn’t help with the MDT stuff though. asquaredozen.com/2020/02/20/… Also you can integrate the AdminService into your Task Sequence. I have a module that helps with a lot of the common tasks. github.com/AdamGrossTX/Confi… I don’t know if @jarwidmark has anything published yet but he was recently working on a TS with the module integrated into it.

yeah, that's the current state of the adminservice for you :( I'd love to move from the cmdlets to adminservice only for my many automations but the lack of feature parity and documentation/code samples for more elaborate things is a massive issue.

Does anyone have a working example to deploy an application to a given collection using the #SCCM AdminService? I don't know how to create an Instance by using wmi/SMS_ApplicationAssignment . Adding and distributing the app using this service is already in place

Pushed a big update to SCCMHunter for my talk at @BSidesPDX this weekend. Some cool new features that lets you remotely perform recon and post exploitation with the AdminService API. github.com/garrettfoster13/s…

Site Takeover via SCCM’s AdminService API | by Garrett Foster | Aug, 2023 | Posts By SpecterOps Team Members posts.specterops.io/site-tak…

Site Takeover via SCCM’s AdminService API posts.specterops.io/site-tak…

Site Takeover via SCCM’s AdminService API posts.specterops.io/site-tak…