​

SCCM Lab Resources

• Zach Stein released a Ludus SCCM lab that covers a lot of the techniques in this repo.
• @an0n_r0 released a Snap Labs range that can be used to test the majority of SCCM tradecraft in this repo.
• @M4yFly released an SCCM lab for the Game of Active Directory (GOAD) project that can be used with VMware or VirtualBox which also covers a lot of the tradecraft in this repo.

• Microsoft and Office 365 deployment lab kit
• SCCM Technical Preview Azure Template
• AutomatedLab

​

Offensive and Defensive SCCM Resources

• Active Directory Spotlight: Attacking The Microsoft Configuration Manager (SCCM/MECM), by Carsten Sandker (@0xcsandker)
• Adding MSSQL to BloodHound using OpenGraph, by Chris Thompson (@_Mayyhem)
• An Inside Look: How to Distribute Credentials Securely in SCCM, by Christopher Panayi
• Attacking and Defending Configuration Manager - An Attacker’s Easy Win, by Logan Goins (@_logangoins)
• Automating SCCM with Ludus: A Configuration Manager for Your Configuration Manager, by Zach Stein (@synzack21)
• Black Hat USA Arsenal 2022: SharpSCCM, by Chris Thompson (@_Mayyhem) and Duane Michael (@subat0mik)
• Black Hat USA Arsenal 2023: SharpSCCM - Abusing Microsoft’s C2 Framework, by Chris Thompson (@_Mayyhem) and Diego Lomellini (@DiLomSec1)
• Black Hat USA SpecterOps Booth 2023: SharpSCCM - Abusing Microsoft’s C2 Framework, by Chris Thompson (@_Mayyhem) and Diego Lomellini (@DiLomSec1)
• CISA Red Team Report Featuring SCCM, by CISA
• Client Push Installation Abuse, by Matt Nelson (@enigma0x3)
• CMLoot, by Tomas Rzepka (@1njected)
• cmloot, by Andreas Vikerup and Dan Rosenqvist
• CMPivot SharpSCCM Support, by Diego Lomellini (@DiLomSec1)
• Coercing NTLM Authentication from SCCM, by Chris Thompson (@_Mayyhem)
• Deobfuscator Implementation in Python, by @SkelSec
• Defending the Castle, by Tom Degreef and Kim Oppalfens
• Exploring SCCM by Unobfuscating Network Access Accounts, by Adam Chester (@xpn)
• Get Secrets via PXE Media Certificates SharpSCCM PR, by Carsten Sandker (@0xcsandker)
• Grow Your Own SCCM Lab, by @HTTP418
• Hierarchy Takeover without SOCKS, by Chris Thompson (@_Mayyhem)
• Identifying and Retrieving Credentials from SCCM/MECM Task Sequences, Christopher Panayi
• I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays
• impacket SCCM Relay, by Matt Creel (@Tw1sm)
• Looting Microsoft Configuration Manager, by Tomas Rzepka (@1njected)
• MalSCCM, by Phil Keeble (@The_Keeb)
• Microsoft Configuration Manager (ConfigMgr) 2403 Unauthenticated SQL Injections, by Mehdi Elyassa
• Microsoft’s Accidental Enterprise DFIR Tool, by Keith Tyler
• Mimikatz misc::sccm, by Benjamin Delpy (@gentilkiwi)
• Mimikatz dpapi::sccm, by Benjamin Delpy (@gentilkiwi)
• mprecon, by temp43487580
• Offensive Operations with PowerSCCM, by Matt Nelson (@enigma0x3)
• Offensive SCCM Summary, by @HTTP418
• Owning One to Rule Them All, by Dave Kennedy (@HackingDave) and Dave DeSimone
• Network Access Accounts are evil…, by Roger Zander
• PowerSCCM, by Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Jared Atkinson (@jaredcatkinson), and Matt Graeber (@mattifestation)
• Pulling Passwords Out of Configuration Manager, by Christopher Panayi
• Push, by Vulnlab
• Push Comes to Shove: Exploring SCCM Attack Paths, by Brandon Colley (@TechBrandon)
• Push Comes to Shove Part 1, by Brandon Colley (@TechBrandon)
• Push Comes to Shove Part 2, by Brandon Colley (@TechBrandon)
• PXEThief, by Christopher Panayi
• pxethiefy, by Carsten Sandker (@0xcsandker)
• Red Team Ops SCCM Module, by Zero Point Security (@zeropointsecltd)
• Relaying NTLM Authentication from SCCM Clients, by Chris Thompson (@_Mayyhem)
• SCCM and Incident Response Part 1, by hexacorn
• SCCM and Incident Response Part 2, by hexacorn
• SCCM Credential Recovery for Network Access Accounts, by Evan McBroom (@mcbroom_evan)
• SCCM Decrypt POC, by Adam Chester (@xpn)
• SCCM w/ Garrett Foster (@garrfoster), by Brandon Colley (@TechBrandon) at Trimarc Happy Hour
• SCCM Exploitation: The First Cred is the Deepest II, by Gabriel Prud’homme (@vendetce)
• SCCM Exploitation: Account Compromise Through Automatic Client Push & AD System Discovery, by Marshall Price (@__mastadon)
• SCCM Exploitation: Evading Defenses and Moving Laterally with SCCM Application Deployment, by Marshall Price (@__mastadon)
• SCCM/MECM Hacker Recipes, by Charlie Bromberg (@_nwodtuhs)
• SCCM Hierarchy Takeover, by Chris Thompson (@_Mayyhem)
• SCCM Hierarchy Takeover with High Availability, by Garrett Foster (@garrfoster)
• SCCM Site Takeover via Automatic Client Push Installation, by Chris Thompson (@_Mayyhem)
• SCCM - Microsoft’s Native C2, by @RedHeadSec
• SCCMDecryptor-BOF, by NocteDefensor
• SCCMHunter - Python-based SCCM reconnaissance and exploitation toolkit by Garrett Foster (GitHub)
• SCCMSecrets.py: exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement, by Quentin Roland (@croco_byte)
• sccmwtf, by Adam Chester (@xpn)
• SCCM-Enumeration, by Cr0n1c
• SeeSeeYouExec: Windows Session Hijacking via CcmExec, by Andrew Oliveau (@AndrewOliveau)
• SharpDPAPI SCCM Credential Gathering Support by Duane Michael (GitHub)
• SharpSCCM - C# toolkit for SCCM security assessment and exploitation by Chris Thompson (GitHub)
• Site Takeover via SCCM’s AdminService API, by Garrett Foster (@garrfoster)
• Snaplabs SCCM Lab Template, by @an0n_r0
• SQLRecon SCCM Module, by Sanjiv Kawa (@sanjivkawa)
• Targeted Workstation Compromise with SCCM, by Matt Nelson (@enigma0x3)
• The Phantom Credentials of SCCM: Why the NAA Won’t Die, by Duane Michael (@subat0mik)
• The State of SCCM Exploitation in 2024, by Christopher Panayi
• We Have C2 at Home: Leveraging Microsoft’s C2 Framework, by Garrett Foster (@garrfoster)