Skip to main content

Overview

The SCCM command enumerates System Center Configuration Manager (SCCM/ConfigMgr) client configuration and settings. SCCM is Microsoft’s enterprise management solution, and its configuration can reveal network topology, management servers, and potential attack vectors through management infrastructure.

Syntax

Seatbelt.exe SCCM

Remote Execution

Seatbelt.exe SCCM -computername=TARGET.domain.com [-username=DOMAIN\user -password=pass]

Output

Returns SCCM configuration:
  • SCCM client installation status
  • Management Point (MP) servers
  • Distribution Point (DP) servers
  • Site code
  • Client version
  • Last successful policy retrieval
  • Assigned site
  • Cache location

Use Cases

  • Red Team
  • Blue Team
  • Identify SCCM management servers
  • Discover lateral movement paths via SCCM
  • Locate SCCM cache for credential/data access
  • Identify SCCM attack surface (NAA accounts, etc.)
  • Map enterprise management infrastructure

Example Output

====== SCCM ======

[*] SCCM Client Installed: True

Site Code               : PS1
Client Version          : 5.00.9078.1000
Management Point        : sccm-mp01.corp.local
Distribution Points     : sccm-dp01.corp.local, sccm-dp02.corp.local
Last Policy Request     : 10/15/2024 8:00:00 AM
Cache Location          : C:\Windows\ccmcache
Cache Size              : 5120 MB

Boundaries:
  Type                  : AD Site
  Value                 : Default-First-Site-Name

Remote Execution

This command supports remote execution using the -computername parameter.

Detection Considerations

Low detection risk - queries SCCM WMI namespace and registry.