Overview
Analyze automatic client push installation settings from the SMS Provider. This reveals security-relevant configuration including push accounts and authentication settings.Syntax
Parameters
The IP address, FQDN, or NetBIOS name of the SMS Provider to connect to
The three-character site code (e.g., “PS1”)
Examples
Required Permissions
SMS Admins local group membership on the SMS Provider server
Security Analysis
Key Information Revealed
Key Information Revealed
Client Push Installation Accounts:
- Often domain administrator accounts
- Used for remote client installation
- May have excessive privileges
- Whether NTLM authentication is allowed
- Fallback mechanisms for failed installations
- Authentication security settings
- Which systems are targeted for automatic push
- Installation triggers and conditions
- Target system types and filters
Attack Opportunities
Attack Opportunities
Credential Targeting:
- Identify client push accounts for credential attacks
- Target accounts with broad administrative access
- Focus on accounts with domain-wide privileges
- Exploit NTLM fallback if enabled
- Target systems in automatic push scope
- Abuse installation mechanisms for lateral movement
Output Analysis
The command reveals push installation configuration including:- Installation accounts and their privilege levels
- Authentication methods and fallback options
- Target scope and installation criteria
- Security settings and restrictions
Common Use Cases
Credential Intelligence
Credential Intelligence
Identify high-value administrative accounts used for client push operations.
Attack Surface Analysis
Attack Surface Analysis
Understand client push configuration to identify potential attack vectors and misconfigurations.
Privilege Escalation
Privilege Escalation
Map administrative accounts and their access patterns for privilege escalation planning.
Related Commands
get admins- Enumerate all SCCM administratorsget site-info- Discover SCCM infrastructureget devices- Identify potential push targets