Skip to main content

Overview

Enumerate managed devices and their properties. This provides comprehensive device intelligence including system information, user relationships, and management status from the SCCM database.

Syntax

SharpSCCM get devices [options]

Parameters

sms-provider
string
The IP address, FQDN, or NetBIOS name of the SMS Provider to connect to
site-code
string
The three-character site code (e.g., “PS1”)
name
string
Filter devices by name pattern (supports partial matching)
user
string
Filter devices by last logged-on user
properties
string
Specify properties to retrieve (can be used multiple times)
where-condition
string
Custom WQL WHERE clause for advanced filtering
count
boolean
Return count of results only
verbose
boolean
Display all device properties

Examples

# List all managed devices
SharpSCCM get devices -sms SCCM01.corp.local -sc PS1

Key Properties

PropertyDescriptionUse Case
NameDevice NetBIOS namePrimary identifier
LastLogonUserNameLast logged-on userUser-device mapping
LastLogonTimestampLast logon timeActivity analysis
IPAddressNetwork addressNetwork topology
ResourceIDUnique SCCM identifierCross-referencing
ClientSCCM client statusManagement verification
DomainActive Directory domainDomain analysis
OperatingSystemNameandVersionOS detailsVulnerability assessment

Required Permissions

SMS Admins local group membership on the SMS Provider server

Intelligence Gathering

Admin Workstations:
LastLogonUserName LIKE '%admin%'
LastLogonUserName LIKE '%service%'
Name LIKE '%admin%'
Active Systems:
Client = 1 AND LastLogonTimestamp > '2023-01-01'
Servers:
OperatingSystemNameandVersion LIKE '%Server%'
IP Address Mapping:
  • Identify network segments and VLANs
  • Map internal network topology
  • Find DMZ and management networks
Device Distribution:
  • Analyze device naming conventions
  • Identify organizational units
  • Map physical locations
Primary User Mapping:
  • Identify which users use which devices
  • Find shared workstations
  • Locate user-specific systems
Administrative Access:
  • Identify devices with admin user access
  • Find service account usage patterns
  • Locate privileged access workstations

Filtering Strategies

Client = 1

Output Analysis

Common naming conventions reveal:
  • DESKTOP- or WS-: Workstations
  • SRV- or SERVER-: Servers
  • DC- or DOM-: Domain controllers
  • LAPTOP- or NB-: Mobile devices
User logon patterns indicate:
  • Administrative accounts (admin, service prefixes)
  • Shared accounts (generic names)
  • Service accounts (svc- prefixes)
  • Personal accounts (firstname.lastname)

Common Use Cases

Identify target systems for lateral movement:
  • Admin workstations for credential harvesting
  • Servers for privilege escalation
  • Systems with specific user access
Comprehensive asset discovery:
  • Total device count and distribution
  • Operating system analysis
  • Network segment mapping
Understand user behavior:
  • Login patterns and frequency
  • Device usage relationships
  • Administrative access patterns