Skip to main contentSCCM Lab Resources
The following labs are options as well, but do not separate the site database or SMS Provider roles from the primary site server, preventing the use of the majority of TAKEOVER techniques:
Offensive and Defensive SCCM Resources
- Active Directory Spotlight: Attacking The Microsoft Configuration Manager (SCCM/MECM), by Carsten Sandker (@0xcsandker)
- Adding MSSQL to BloodHound using OpenGraph, by Chris Thompson (@_Mayyhem)
- An Inside Look: How to Distribute Credentials Securely in SCCM, by Christopher Panayi
- Attacking and Defending Configuration Manager - An Attacker’s Easy Win, by Logan Goins (@_logangoins)
- Automating SCCM with Ludus: A Configuration Manager for Your Configuration Manager, by Zach Stein (@synzack21)
- Black Hat USA Arsenal 2022: SharpSCCM, by Chris Thompson (@_Mayyhem) and Duane Michael (@subat0mik)
- Black Hat USA Arsenal 2023: SharpSCCM - Abusing Microsoft’s C2 Framework, by Chris Thompson (@_Mayyhem) and Diego Lomellini (@DiLomSec1)
- Black Hat USA SpecterOps Booth 2023: SharpSCCM - Abusing Microsoft’s C2 Framework, by Chris Thompson (@_Mayyhem) and Diego Lomellini (@DiLomSec1)
- CISA Red Team Report Featuring SCCM, by CISA
- Client Push Installation Abuse, by Matt Nelson (@enigma0x3)
- CMLoot, by Tomas Rzepka (@1njected)
- cmloot, by Andreas Vikerup and Dan Rosenqvist
- CMPivot SharpSCCM Support, by Diego Lomellini (@DiLomSec1)
- Coercing NTLM Authentication from SCCM, by Chris Thompson (@_Mayyhem)
- Deobfuscator Implementation in Python, by @SkelSec
- Defending the Castle, by Tom Degreef and Kim Oppalfens
- Exploring SCCM by Unobfuscating Network Access Accounts, by Adam Chester (@xpn)
- Get Secrets via PXE Media Certificates SharpSCCM PR, by Carsten Sandker (@0xcsandker)
- Grow Your Own SCCM Lab, by @HTTP418
- Hierarchy Takeover without SOCKS, by Chris Thompson (@_Mayyhem)
- Identifying and Retrieving Credentials from SCCM/MECM Task Sequences, Christopher Panayi
- I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays
- impacket SCCM Relay, by Matt Creel (@Tw1sm)
- Looting Microsoft Configuration Manager, by Tomas Rzepka (@1njected)
- MalSCCM, by Phil Keeble (@The_Keeb)
- Microsoft Configuration Manager (ConfigMgr) 2403 Unauthenticated SQL Injections, by Mehdi Elyassa
- Microsoft’s Accidental Enterprise DFIR Tool, by Keith Tyler
- Mimikatz misc::sccm, by Benjamin Delpy (@gentilkiwi)
- Mimikatz dpapi::sccm, by Benjamin Delpy (@gentilkiwi)
- mprecon, by temp43487580
- Offensive Operations with PowerSCCM, by Matt Nelson (@enigma0x3)
- Offensive SCCM Summary, by @HTTP418
- Owning One to Rule Them All, by Dave Kennedy (@HackingDave) and Dave DeSimone
- Network Access Accounts are evil…, by Roger Zander
- PowerSCCM, by Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Jared Atkinson (@jaredcatkinson), and Matt Graeber (@mattifestation)
- Pulling Passwords Out of Configuration Manager, by Christopher Panayi
- Push, by Vulnlab
- Push Comes to Shove: Exploring SCCM Attack Paths, by Brandon Colley (@TechBrandon)
- Push Comes to Shove Part 1, by Brandon Colley (@TechBrandon)
- Push Comes to Shove Part 2, by Brandon Colley (@TechBrandon)
- PXEThief, by Christopher Panayi
- pxethiefy, by Carsten Sandker (@0xcsandker)
- Red Team Ops SCCM Module, by Zero Point Security (@zeropointsecltd)
- Relaying NTLM Authentication from SCCM Clients, by Chris Thompson (@_Mayyhem)
- SCCM and Incident Response Part 1, by hexacorn
- SCCM and Incident Response Part 2, by hexacorn
- SCCM Credential Recovery for Network Access Accounts, by Evan McBroom (@mcbroom_evan)
- SCCM Decrypt POC, by Adam Chester (@xpn)
- SCCM w/ Garrett Foster (@garrfoster), by Brandon Colley (@TechBrandon) at Trimarc Happy Hour
- SCCM Exploitation: The First Cred is the Deepest II, by Gabriel Prud’homme (@vendetce)
- SCCM Exploitation: Account Compromise Through Automatic Client Push & AD System Discovery, by Marshall Price (@__mastadon)
- SCCM Exploitation: Evading Defenses and Moving Laterally with SCCM Application Deployment, by Marshall Price (@__mastadon)
- SCCM/MECM Hacker Recipes, by Charlie Bromberg (@_nwodtuhs)
- SCCM Hierarchy Takeover, by Chris Thompson (@_Mayyhem)
- SCCM Hierarchy Takeover with High Availability, by Garrett Foster (@garrfoster)
- SCCM Site Takeover via Automatic Client Push Installation, by Chris Thompson (@_Mayyhem)
- SCCM - Microsoft’s Native C2, by @RedHeadSec
- SCCMDecryptor-BOF, by NocteDefensor
- SCCMHunter - Python-based SCCM reconnaissance and exploitation toolkit by Garrett Foster (GitHub)
- SCCMSecrets.py: exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement, by Quentin Roland (@croco_byte)
- sccmwtf, by Adam Chester (@xpn)
- SCCM-Enumeration, by Cr0n1c
- SeeSeeYouExec: Windows Session Hijacking via CcmExec, by Andrew Oliveau (@AndrewOliveau)
- SharpDPAPI SCCM Credential Gathering Support by Duane Michael (GitHub)
- SharpSCCM - C# toolkit for SCCM security assessment and exploitation by Chris Thompson (GitHub)
- Site Takeover via SCCM’s AdminService API, by Garrett Foster (@garrfoster)
- Snaplabs SCCM Lab Template, by @an0n_r0
- SQLRecon SCCM Module, by Sanjiv Kawa (@sanjivkawa)
- Targeted Workstation Compromise with SCCM, by Matt Nelson (@enigma0x3)
- The Phantom Credentials of SCCM: Why the NAA Won’t Die, by Duane Michael (@subat0mik)
- The State of SCCM Exploitation in 2024, by Christopher Panayi
- We Have C2 at Home: Leveraging Microsoft’s C2 Framework, by Garrett Foster (@garrfoster)
