Skip to main content

Overview

Enumerate applications available in SCCM. Applications represent software packages that can be deployed to collections, making them potential attack vectors for lateral movement and privilege escalation.

Syntax

SharpSCCM get applications [options]

Parameters

sms-provider
string
The IP address, FQDN, or NetBIOS name of the SMS Provider to connect to
site-code
string
The three-character site code (e.g., “PS1”)
name
string
Filter applications by name pattern (supports partial matching)
properties
string
Specify properties to retrieve (can be used multiple times)
where-condition
string
Custom WQL WHERE clause for advanced filtering
count
boolean
Return count of results only
verbose
boolean
Display all application properties

Examples

# List all applications
SharpSCCM get applications -sms SCCM01.corp.local -sc PS1

# Count applications
SharpSCCM get applications -c -sms SCCM01.corp.local -sc PS1

Key Properties

PropertyDescriptionValues
LocalizedDisplayNameApplication nameUser-defined
ExecutionContextExecution context0 (System), 1 (User)
IsHiddenHidden from consoleTrue/False
IsDeployedDeployment statusTrue/False
CreatedByCreator accountDomain\username
DateCreatedCreation dateTimestamp
DateLastModifiedLast modificationTimestamp
IsSupersededSuperseded statusTrue/False

Required Permissions

Application Administrator or Read-only Analyst role

Security Analysis

System Context Applications (ExecutionContext = 0):
  • Run with SYSTEM privileges
  • Potential privilege escalation vectors
  • High impact for lateral movement
Hidden Applications (IsHidden = True):
  • Not visible in Software Center
  • Often administrative or testing applications
  • May contain sensitive functionality
Recently Created Applications:
  • New applications may have weak security
  • Testing applications with elevated privileges
  • Recently added attack tools
Privilege Escalation:
  • System context applications for privilege escalation
  • Applications with excessive permissions
  • Custom applications with security flaws
Lateral Movement:
  • Applications deployed to multiple systems
  • Network-accessible applications
  • Remote execution capabilities
Persistence:
  • Applications with startup or scheduled execution
  • Service-based applications
  • Applications with persistence mechanisms

Application Intelligence

Standard Software:
  • Microsoft Office, browsers, utilities
  • Business applications and tools
  • Development and administrative software
Custom Applications:
  • Organization-specific software
  • In-house developed applications
  • Third-party business applications
Administrative Tools:
  • System administration utilities
  • Security tools and agents
  • Monitoring and management software
Broad Deployment:
  • Standard software packages
  • Security updates and patches
  • Compliance and monitoring tools
Targeted Deployment:
  • Specialized software for specific groups
  • Administrative tools for IT staff
  • Development tools for developers

Common Queries

ExecutionContext = 0

Attack Opportunities

Malicious Applications:
  • Create malicious applications for deployment
  • Modify existing applications
  • Abuse application deployment mechanisms
Legitimate Application Abuse:
  • Exploit applications with excessive privileges
  • Abuse legitimate tools for malicious purposes
  • Use applications for persistence and lateral movement
Deployment Targeting:
  • Target specific collections with malicious applications
  • Abuse existing deployment assignments
  • Create new deployments for lateral movement
Application Modification:
  • Modify application content or commands
  • Change deployment types and requirements
  • Abuse application supersedence

Use Cases

High-Privilege Applications:
  • System context applications for privilege escalation
  • Administrative tools with elevated permissions
  • Custom applications with security weaknesses
Deployment Analysis:
  • Understand application deployment patterns
  • Identify potential deployment targets
  • Analyze organizational software usage
Application Deployment:
  • Use legitimate deployment mechanisms
  • Target specific device collections
  • Abuse application execution contexts
Persistence Establishment:
  • Applications with startup execution
  • Service-based applications
  • Scheduled application execution

Output Analysis

By Execution Context:
  • System applications: High privilege, high risk
  • User applications: Lower privilege, user-focused
By Visibility:
  • Visible applications: Standard user software
  • Hidden applications: Administrative or testing tools
By Creation Source:
  • System-created: Built-in or imported applications
  • User-created: Custom or organizational applications