Skip to main content

Overview

Request machine policies from management points to extract stored credentials including Network Access Accounts, collection variables, and task sequence passwords. This command leverages SCCM’s policy distribution mechanism to retrieve sensitive credentials.
High-Impact Operation: This command extracts sensitive credentials including Network Access Account passwords that are often over-privileged domain accounts.

Syntax

SharpSCCM get secrets [options]

Parameters

management-point
string
Management point server address
site-code
string
The three-character site code (e.g., “PS1”)
register-client
string
Register new device name for policy request
username
string
Computer account with trailing $ for device registration
password
string
Computer account password for device registration
certificate
string
Base64 certificate blob for client authentication
client-id
string
SMS client GUID for certificate authentication
output-file
string
Save policy XML to file for analysis

Authentication Methods

Prerequisites: Local Administrator on SCCM clientProcess:
  1. Uses existing SCCM client certificate
  2. Requests machine policy from management point
  3. Extracts credentials from policy response
Advantages:
  • No additional credentials required
  • Uses legitimate client identity
  • Minimal audit trail
Prerequisites: Computer account credentialsProcess:
  1. Registers new device with SCCM using computer account
  2. Receives client certificate from management point
  3. Requests policy using new device identity
  4. Extracts credentials from policy
Advantages:
  • Works from any system
  • Creates legitimate device record
  • Bypasses client installation requirements
Prerequisites: Existing SCCM client certificateProcess:
  1. Uses provided certificate for authentication
  2. Impersonates existing SCCM client
  3. Requests policy using certificate identity
Advantages:
  • Reuses existing client certificates
  • No device registration required
  • Works with extracted certificates

Examples

# Use local SCCM client certificate
SharpSCCM get secrets

# Save policy to file for analysis
SharpSCCM get secrets -o policy.xml

Required Permissions

Local Administrator OR Computer account credentials OR Valid SCCM client certificate

Credential Types Extracted

Purpose: Domain accounts used for distribution point accessCharacteristics:
  • Often have excessive domain privileges
  • Frequently shared across environments
  • Used when computer account authentication fails
  • Critical for SCCM client operations
Security Impact:
  • High-value targets for lateral movement
  • Often members of privileged groups
  • May have admin rights on multiple systems
Purpose: Credentials stored in collection propertiesCharacteristics:
  • Used for application deployment authentication
  • Scoped to specific device/user collections
  • May contain service account passwords
  • Often overlooked in security reviews
Security Impact:
  • Application-specific credential exposure
  • Potential service account compromise
  • Collection-wide credential sharing
Purpose: Accounts used during OS deploymentCharacteristics:
  • Often domain administrator accounts
  • Used for domain join operations
  • Required for automated deployments
  • High privilege requirements
Security Impact:
  • Domain admin credential exposure
  • Full domain compromise potential
  • Automated deployment abuse

Technical Details

Policy Retrieval Steps:
  1. Client Authentication - Certificate or device registration
  2. Policy Request - HTTP(S) request to management point
  3. Policy Response - Encrypted policy XML containing secrets
  4. Credential Decryption - Extract plaintext credentials
Policy Protection:
  • Policies are encrypted with client-specific keys
  • Requires valid SCCM client identity for decryption
  • HTTPS transport encryption (typically)
  • Client certificate authentication
Audit Considerations:
  • Policy requests are logged on management points
  • Device registration creates database entries
  • Certificate usage may be audited
  • Network traffic can be monitored

Output Format

Extracted credentials are displayed in structured format: 
[+] Network Access Account found:
    Domain: CORP
    Username: svc_naa
    Password: P@ssw0rd123!

[+] Collection variables found:
    Variable: AppPassword
    Value: ServiceP@ss
    Collection: Application Servers

[+] Task sequence credentials found:
    Domain Join Account: CORP\svc_domainjoin
    Password: Dom@inP@ss123

Operational Security

Low-Profile Techniques:
  • Use existing client certificates when possible
  • Avoid device registration if not necessary
  • Request policies during normal business hours
  • Use legitimate-looking device names
Reduce Detection Risk:
  • Limit policy request frequency
  • Use existing management point connections
  • Avoid unusual certificate patterns
  • Clean up registered devices if needed

Common Issues

Error: Policy request denied or authentication failedSolutions:
  • Verify management point address and site code
  • Check computer account credentials
  • Ensure certificate validity
  • Verify network connectivity
Error: Policy received but no credentials extractedSolutions:
  • Site may not use Network Access Accounts
  • Enhanced HTTP may be enabled
  • Collection variables may not be configured
  • Task sequences may not contain credentials