Overview
Extract collection variable credentials from SCCM policies. Collection variables are key-value pairs assigned to device or user collections that often contain sensitive credentials used for application deployment and system configuration.Syntax
Parameters
Management point server address
The three-character site code (e.g., “PS1”)
Specific collection ID to target (e.g., “PS100001”)
Collection name pattern for filtering
SMS client GUID for authentication
Base64 certificate blob for client authentication
Save extracted variables to file
Examples
Required Permissions
Local Administrator on SCCM client OR Computer account credentials OR Valid SCCM client certificate
Collection Variables Overview
Variable Types
Variable Types
Application Credentials:
- Database connection strings
- Service account passwords
- API keys and tokens
- Application-specific secrets
- Domain join accounts
- Service installation accounts
- Administrative passwords
- Network access credentials
- Server names and endpoints
- Network configuration
- Application settings
- Environment-specific data
Security Context
Security Context
Variable Scope:
- Device collections: System-level access
- User collections: User-level access
- Mixed collections: Variable context dependent
- Variables visible to collection members
- Plaintext storage in policies
- Network transmission exposure
Extraction Process
Policy Request Method
Policy Request Method
Authentication Options:
- Local Client Certificate - Use existing SCCM client
- Device Registration - Register new device identity
- Certificate Impersonation - Use provided certificate
- Request machine policies from management point
- Parse policy XML for collection variable definitions
- Extract variable names and values
- Decrypt any encrypted values
Collection Targeting
Collection Targeting
Broad Discovery:
- Request policies for multiple collections
- Enumerate all accessible variables
- Map variable distribution patterns
- Focus on specific high-value collections
- Target application-specific collections
- Concentrate on administrative collections
Variable Intelligence
High-Value Variables
High-Value Variables
Database Credentials:Service Account Credentials:Application Secrets:
Common Naming Patterns
Common Naming Patterns
Password Variables:
- Password, Pass, Pwd
- Secret, Key, Token
- Credential, Cred, Auth
- User, Username, Account
- ServiceAccount, SvcUser
- RunAs, ExecuteAs, Identity
- ConnectionString, ConnString
- Server, Host, Endpoint
- URL, URI, Address
Output Format
Extracted variables are displayed with collection context:Attack Opportunities
Credential Reuse
Credential Reuse
Lateral Movement:
- Use extracted credentials on target systems
- Test credentials across multiple systems
- Exploit password reuse patterns
- Identify service account credentials
- Map service account usage patterns
- Exploit service account privileges
Application Targeting
Application Targeting
Database Access:
- Use database credentials for direct access
- Bypass application security controls
- Access sensitive data repositories
- Leverage API keys and tokens
- Access web services and APIs
- Exploit service authentication
Operational Security
Stealth Considerations
Stealth Considerations
Policy Requests:
- Policy requests may be logged
- Avoid unusual request patterns
- Use legitimate client identities
- Collection membership affects access
- Target appropriate collections
- Avoid excessive enumeration
Common Use Cases
Credential Harvesting
Credential Harvesting
Application Deployment Credentials:
- Service account passwords for application installation
- Database credentials for application configuration
- API keys and tokens for service integration
- Domain join account credentials
- Administrative account passwords
- Network service credentials
Environment Mapping
Environment Mapping
Infrastructure Discovery:
- Server names and network locations
- Service endpoints and URLs
- Configuration and connection details
- Database server locations
- Service dependencies
- Integration points and APIs
Related Commands
get collections- Identify collections with variablesget collection-members- Understand variable scopeget secrets- Comprehensive credential extractionlocal secrets- Local credential extraction