Skip to main content

Overview

The get naa command retrieves and decrypts Network Access Account (NAA) credentials from SCCM. NAAs are domain accounts used by SCCM clients to access distribution points when the computer account cannot be used.
NAA credentials are often over-privileged domain accounts. Organizations should migrate to Enhanced HTTP to eliminate the need for NAAs.

Syntax

SharpSCCM.exe get naa -mp <ManagementPoint> -sc <SiteCode> [options]

Parameters

mp
string
required
The FQDN or NetBIOS name of the SCCM Management Point server
sc
string
required
The three-character site code of the SCCM site
client
string
The client name to impersonate (defaults to current machine)
output
string
Output file path for saving credentials (optional)

Examples

# Get NAA from the current site
SharpSCCM.exe get naa -mp sccm01.corp.local -sc PS1

Output Format

The command outputs discovered NAA credentials in the following format: 
[+] Network Access Account found!
    Domain: CORP
    Username: svc_sccm_naa
    Password: P@ssw0rd123!
    SID: S-1-5-21-123456789-123456789-123456789-1001

Technical Details

  1. Policy Request: SharpSCCM requests machine policy from the Management Point
  2. Policy Parsing: Identifies policies containing NAA configurations
  3. DPAPI Decryption: Uses DPAPI to decrypt the credentials blob
  4. Credential Extraction: Parses the decrypted data to extract plaintext credentials
Security teams can detect NAA extraction attempts by monitoring for:
  • Unusual policy requests from client machines
  • DPAPI decryption events related to SCCM
  • Access to NAA-related WMI classes
  • Network traffic to Management Points from unexpected sources

Common Issues

Error: Access denied when requesting policySolution: Ensure you’re running from a domain-joined machine with SCCM client installed
Error: No Network Access Account found in policiesSolution: The site may be using Enhanced HTTP or may not have NAAs configured
Error: Failed to decrypt NAA credentialsSolution: You may not have the necessary DPAPI keys. Try running as SYSTEM or with elevated privileges

Security Recommendations

1

Enable Enhanced HTTP

Configure Enhanced HTTP to eliminate the need for Network Access Accounts
2

Use Least Privilege

If NAAs are required, use accounts with minimal permissions - only read access to distribution points
3

Regular Rotation

Rotate NAA passwords regularly and monitor for unauthorized access
4

Monitor Usage

Set up alerts for NAA authentication from unexpected sources

References

The Phantom Credentials of SCCM

Duane Michael’s research on NAA persistence

Unobfuscating NAAs

Adam Chester’s technical deep-dive