Most situational awareness commands require you to first set a target device using the
interact [ResourceID] command. You can find ResourceIDs using the database query commands.System Information Commands
administrators
Description
Query the interactive device for members of the device’s local administrators group.Usage
Copy
Ask AI
administrators
Example
Copy
Ask AI
(16777221) (C:\) >> administrators
[19:38:17] INFO Tasked SCCM to run Administrators.
[19:38:19] INFO Got OperationId 16779666. Sleeping 10 seconds to wait for host to call home.
[19:38:29] INFO No results yet, sleeping 10 seconds.
[19:38:41] INFO +---------------+----------------------+-------------------+----------+
| ObjectClass | Name | PrincipalSource | Device |
+===============+======================+===================+==========+
| User | DP\Administrator | Local | DP |
+---------------+----------------------+-------------------+----------+
| Group | LAB\Domain Admins | ActiveDirectory | DP |
+---------------+----------------------+-------------------+----------+
| Group | LAB\SCCM_SiteServers | ActiveDirectory | DP |
+---------------+----------------------+-------------------+----------+
console_users
Description
Returns data detailing the users that have logged on to the target system.Usage
Copy
Ask AI
console_users
Example
Copy
Ask AI
(16777221) (C:\) >> console_users
[19:39:28] INFO Tasked SCCM to show all users that have signed in.
[19:39:31] INFO Got OperationId 16779667. Sleeping 10 seconds to wait for host to call home.
[19:39:41] INFO +---------------------+-------------------------+-------------------------------+---------------------------+----------+
| LastConsoleUse | NumberOfConsoleLogons | SystemConsoleUser | TotalUserConsoleMinutes | Device |
+=====================+=========================+===============================+===========================+==========+
| 2024-01-27 14:08:00 | 1 | win-3sflnhdib39\administrator | 495 | DP |
+---------------------+-------------------------+-------------------------------+---------------------------+----------+
| 2024-01-28 22:42:35 | 1 | lab\administrator | 2435 | DP |
+---------------------+-------------------------+-------------------------------+---------------------------+----------+
sessions
Description
List active sessions on the interactive device.Usage
Copy
Ask AI
sessions
Example
Copy
Ask AI
(16777221) (C:\) >> sessions
[19:50:29] INFO Tasked SCCM to show users currently signed in to 16777221.
[19:50:31] INFO Got OperationId 16779679. Sleeping 10 seconds to wait for host to call home.
[19:50:41] INFO +---------------------+----------+
| UserName | Device |
+=====================+==========+
| DP\DefaultAppPool | DP |
+---------------------+----------+
| DP\IUSR | DP |
+---------------------+----------+
| DP\LOCAL SERVICE | DP |
+---------------------+----------+
| DP\NETWORK SERVICE | DP |
+---------------------+----------+
| LAB\Administrator | DP |
+---------------------+----------+
| NT AUTHORITY\SYSTEM | DP |
+---------------------+----------+
Hardware Information Commands
disk
Description
List available disk drives and space on the interactive system.Usage
Copy
Ask AI
disk
Example
Copy
Ask AI
(16777221) (C:\) >> disk
[19:40:23] INFO Tasked SCCM to show disk information of 16777221.
[19:40:24] INFO Got OperationId 16779668. Sleeping 10 seconds to wait for host to call home.
[19:40:35] INFO +--------+------------------+-------------+-------------+--------------+----------------------+----------+
| Name | Description | Size | FreeSpace | Compressed | VolumeSerialNumber | Device |
+========+==================+=============+=============+==============+======================+==========+
| C: | Local Fixed Disk | 53012852736 | 40399273984 | False | 5E2D550E | DP |
+--------+------------------+-------------+-------------+--------------+----------------------+----------+
| D: | CD-ROM Disc | 5044094976 | 0 | False | D10C768B | DP |
+--------+------------------+-------------+-------------+--------------+----------------------+----------+
list_disk
Description
Lists available disk drives on the interactive system.Usage
Copy
Ask AI
list_disk
Example
Copy
Ask AI
(16777221) (C:\) >> list_disk
[19:43:02] INFO Tasked SCCM to show mounted drives on 16777221.
[19:43:04] INFO Got OperationId 16779671. Sleeping 10 seconds to wait for host to call home.
[19:43:17] INFO +------------------+-----------+------------+----------+
| Description | Caption | DeviceID | Device |
+==================+===========+============+==========+
| Local Fixed Disk | C: | C: | DP |
+------------------+-----------+------------+----------+
| CD-ROM Disc | nan | D: | DP |
+------------------+-----------+------------+----------+
System Configuration Commands
environment
Description
List environment variables from the interactive system.Usage
Copy
Ask AI
environment
Example
Copy
Ask AI
(16777221) (C:\) >> environment
[19:40:51] INFO Tasked SCCM to show Environment variables of 16777221.
[19:40:53] INFO Got OperationId 16779669. Sleeping 10 seconds to wait for host to call home.
[19:41:03] INFO No results yet, sleeping 10 seconds.
[19:41:14] INFO +-----------------------------------+-----------------------------------+------------------------+----------+------------------+------------------------------+--------------------------------------------------------------------------------------------------------------------------------+----------+
| Caption | Description | Name | Status | SystemVariable | UserName | VariableValue | Device |
+===================================+===================================+========================+==========+==================+==============================+================================================================================================================================+==========+
| <SYSTEM>\ComSpec | <SYSTEM>\ComSpec | ComSpec | OK | True | <SYSTEM> | %SystemRoot%\system32\cmd.exe | DP |
+-----------------------------------+-----------------------------------+------------------------+----------+------------------+------------------------------+--------------------------------------------------------------------------------------------------------------------------------+----------+
| <SYSTEM>\DriverData | <SYSTEM>\DriverData | DriverData | OK | True | <SYSTEM> | C:\Windows\System32\Drivers\DriverData | DP |
+-----------------------------------+-----------------------------------+------------------------+----------+------------------+------------------------------+--------------------------------------------------------------------------------------------------------------------------------+----------+
| <SYSTEM>\OS | <SYSTEM>\OS | OS | OK | True | <SYSTEM> | Windows_NT | DP |
+-----------------------------------+-----------------------------------+------------------------+----------+------------------+------------------------------+--------------------------------------------------------------------------------------------------------------------------------+----------+
ipconfig
Description
Run ipconfig on the interactive host and retrieve networking info.Usage
Copy
Ask AI
ipconfig
Example
Copy
Ask AI
(16777221) (C:\) >> ipconfig
[19:42:23] INFO Tasked SCCM to run IPCONFIG.
[19:42:27] INFO Got OperationId 16779670. Sleeping 10 seconds to wait for host to call home.
[19:42:39] INFO +------------------+--------------+--------------------------------------------+----------+---------------+----------------------+-----------------------------+----------+
| InterfaceAlias | Name | InterfaceDescription | Status | IPV4Address | IPV4DefaultGateway | DNSServerList | Device |
+==================+==============+============================================+==========+===============+======================+=============================+==========+
| Ethernet0 | internal.lab | Intel(R) 82574L Gigabit Network Connection | Up | 10.10.100.11 | 10.10.100.10 | 10.10.100.100; 10.10.100.10 | DP |
+------------------+--------------+--------------------------------------------+----------+---------------+----------------------+-----------------------------+----------+
osinfo
Description
Query operating system and architecture info for the interactive device.Usage
Copy
Ask AI
osinfo
Example
Copy
Ask AI
(16777221) (C:\) >> osinfo
[19:45:22] INFO Tasked SCCM to show system info of 16777221.
[19:45:25] INFO Got OperationId 16779673. Sleeping 10 seconds to wait for host to call home.
[19:45:35] INFO +---------------------------------------------------+------------+------------------+----------+
| Caption | Version | OSArchitecture | Device |
+===================================================+============+==================+==========+
| Microsoft Windows Server 2022 Standard Evaluation | 10.0.20348 | 64-bit | DP |
+---------------------------------------------------+------------+------------------+----------+
Process and Service Information Commands
ps
Description
List current running processes for the interactive device.Usage
Copy
Ask AI
ps
Example
Copy
Ask AI
(16777221) (C:\) >> ps
[19:45:52] INFO Tasked SCCM to list processes.
[19:45:53] INFO Got OperationId 16779674. Sleeping 10 seconds to wait for host to call home.
[19:46:04] INFO No results yet, sleeping 10 seconds.
[19:46:16] INFO +---------------------+-------------+---------------------+------------------+---------------+----------+
| Name | ProcessId | CreationDate | WorkingSetSize | HandleCount | Device |
+=====================+=============+=====================+==================+===============+==========+
| System Idle Process | 0 | 2024-01-30 02:48:49 | 8192 | 0 | DP |
+---------------------+-------------+---------------------+------------------+---------------+----------+
| System | 4 | 2024-01-30 02:48:49 | 151552 | 1420 | DP |
+---------------------+-------------+---------------------+------------------+---------------+----------+
| Registry | 100 | 2024-01-30 02:48:43 | 75931648 | 0 | DP |
+---------------------+-------------+---------------------+------------------+---------------+----------+
| smss.exe | 300 | 2024-01-30 02:48:49 | 1298432 | 57 | DP |
+---------------------+-------------+---------------------+------------------+---------------+----------+
| csrss.exe | 408 | 2024-01-30 02:48:50 | 6266880 | 385 | DP |
+---------------------+-------------+---------------------+------------------+---------------+----------+
services
Description
List current running services on the interactive device.Usage
Copy
Ask AI
services
Example
Copy
Ask AI
(16777221) (C:\) >> services
[19:47:25] INFO Tasked SCCM to list services.
[19:47:27] INFO Got OperationId 16779676. Sleeping 10 seconds to wait for host to call home.
[19:47:38] INFO +------------------------------------------+------------------------------------------------------------------------------------------+-------------+---------------+-----------+----------+
| Name | PathName | ProcessId | ServiceType | Started | Device |
+==========================================+==========================================================================================+=============+===============+===========+==========+
| AJRouter | C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p | 0 | Share Process | False | DP |
+------------------------------------------+------------------------------------------------------------------------------------------+-------------+---------------+-----------+----------+
| ALG | C:\Windows\System32\alg.exe | 0 | Own Process | False | DP |
+------------------------------------------+------------------------------------------------------------------------------------------+-------------+---------------+-----------+----------+
| AppHostSvc | C:\Windows\system32\svchost.exe -k apphost | 1172 | Share Process | True | DP |
+------------------------------------------+------------------------------------------------------------------------------------------+-------------+---------------+-----------+----------+
software
Description
List currently installed software on the interactive device.Usage
Copy
Ask AI
software
Example
Copy
Ask AI
(16777221) (C:\) >> software
[19:52:10] INFO Tasked SCCM to list software installed 16777221.
[19:52:12] INFO Got OperationId 16779681. Sleeping 10 seconds to wait for host to call home.
[19:52:23] INFO +--------------------------------------------------------------------+-----------------------+------------------+----------+
| ProductName | Publisher | ProductVersion | Device |
+====================================================================+=======================+==================+==========+
| VMware Tools | VMware, Inc. | 12.0.0.19345655 | DP |
+--------------------------------------------------------------------+-----------------------+------------------+----------+
| Microsoft Visual C++ 2019 X64 Additional Runtime - 14.29.30133 | Microsoft Corporation | 14.29.30133 | DP |
+--------------------------------------------------------------------+-----------------------+------------------+----------+
| Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.29.30133 | Microsoft Corporation | 14.29.30133 | DP |
+--------------------------------------------------------------------+-----------------------+------------------+----------+
Network Information Commands
shares
Description
List all available file shares on the interactive device.Usage
Copy
Ask AI
shares
Example
Copy
Ask AI
(16777221) (C:\) >> shares
[19:51:39] INFO Tasked SCCM to list file shares.
[19:51:41] INFO Got OperationId 16779680. Sleeping 10 seconds to wait for host to call home.
[19:51:52] INFO +-----------------+------------------------------------------------------------------+-------------------+------------+----------------+----------+
| Name | Description | Path | Type | AllowMaximum | Device |
+=================+==================================================================+===================+============+================+==========+
| ADMIN$ | Remote Admin | C:\Windows | 2147483648 | True | DP |
+-----------------+------------------------------------------------------------------+-------------------+------------+----------------+----------+
| C$ | Default share | C:\ | 2147483648 | True | DP |
+-----------------+------------------------------------------------------------------+-------------------+------------+----------------+----------+
| IPC$ | Remote IPC | | 2147483651 | True | DP |
+-----------------+------------------------------------------------------------------+-------------------+------------+----------------+----------+
| SCCMContentLib$ | 'Configuration Manager' Content Library for site LAB (1/27/2024) | C:\SCCMContentLib | 0 | True | DP |
+-----------------+------------------------------------------------------------------+-------------------+------------+----------------+----------+
File System Commands
cd
Description
Change directories on the command line. This is required for both thels and cat commands.
Usage
Copy
Ask AI
cd [filepath]
Example
Copy
Ask AI
(16777221) (C:\) >> cd C:\Users
(16777221) (C:\Users\) >> ls
[23:25:28] INFO Tasked SCCM to list files in C:\Users\.
[23:25:28] INFO Got OperationId 16779694. Sleeping 10 seconds to wait for host to call home.
[23:25:41] INFO +----------------------------+--------+---------------------+--------+----------+
| FileName | Mode | LastWriteTime | Size | Device |
+============================+========+=====================+========+==========+
| C:\Users\Administrator | d----- | 2024-01-27 05:53:07 | 1 | DP |
+----------------------------+--------+---------------------+--------+----------+
| C:\Users\administrator.LAB | d----- | 2024-02-08 07:21:12 | 1 | DP |
+----------------------------+--------+---------------------+--------+----------+
ls
Description
Will list the contents of the current directory represented on the command line. Defaults to C:. You must issue a cd command to another known directory (i.e.cd C:\Users) to list the contents of that Users directory and so on.
Usage
Copy
Ask AI
ls
Example
Copy
Ask AI
(16777221) (C:\) >> ls
[19:43:31] INFO Tasked SCCM to list files in C:\.
[19:43:33] INFO Got OperationId 16779672. Sleeping 10 seconds to wait for host to call home.
[19:43:47] INFO +------------------------------+--------+---------------------+--------+----------+
| FileName | Mode | LastWriteTime | Size | Device |
+==============================+========+=====================+========+==========+
| C:\$Recycle.Bin | d--hs- | 2024-01-27 06:07:22 | 1 | DP |
+------------------------------+--------+---------------------+--------+----------+
| C:\$WinREAgent | d--h-- | 2024-01-27 14:07:43 | 1 | DP |
+------------------------------+--------+---------------------+--------+----------+
| C:\Documents and Settings | d--hsl | 2024-01-27 21:59:32 | 1 | DP |
+------------------------------+--------+---------------------+--------+----------+
cat
Description
Display the contents of a file on the interactive device. The command line must be configured with the path to the file contents directory. For example, if the file you want to display is in “C:\Windows\Temp”, you must issue acd command to configure the command line with that file path in addition to the interactive device.
Usage
Copy
Ask AI
cat [filename]
Example
Copy
Ask AI
(16777221) (C:\) >> cd C:\Users\administrator.LAB\.ssh
(16777221) (C:\Users\administrator.LAB\.ssh\) >> cat id_rsa
[23:21:41] INFO Tasked SCCM to show id_rsa
[23:21:43] INFO [+] Updates script created successfully with GUID 22057b18-d704-4734-ac35-2641eae96fb4.
[23:21:47] INFO [+] Script with guid 22057b18-d704-4734-ac35-2641eae96fb4 approved.
[23:21:49] INFO [+] Script with guid 22057b18-d704-4734-ac35-2641eae96fb4 executed.
[23:22:08] INFO [+] Got result:
[23:22:08] INFO -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAv0P8SG6b1AfXaWVmslD32pxVgncux1cxgNv6CnnG/OxDvAQdsBiB
[... content truncated for brevity ...]
-----END OPENSSH PRIVATE KEY-----
[23:22:12] INFO [+] Script with GUID 22057b18-d704-4734-ac35-2641eae96fb4 deleted.
SCCM limits the result returned from scripts to 4KB. If the file size is larger it will be truncated or unreliable. Additionally, since scripts are used, you may need to supply alternate credentials.
All situational awareness commands operate through CMPivot and may take 10+ seconds to complete as they wait for the target system to call home and execute the commands.