Skip to main content

Overview

The local command group provides comprehensive capabilities for interacting with the local SCCM client. These commands enable reconnaissance, credential extraction, log analysis, and WMI querying directly on the current workstation or server.
Local commands operate entirely on the current system and do not require network connectivity to SCCM infrastructure.

Command Categories

WMI Operations

classes

List available WMI classes in a namespace

class-instances

Query specific WMI class instances with filtering

class-properties

Get property definitions for WMI classes

query

Execute custom WQL queries on local WMI

Information Gathering

client-info

Get SCCM client version information

site-info

Get management point and site code

user-sid

Get current user SID in hex format

triage

Comprehensive log file analysis

File Operations

grep

Search files for specific strings

secrets

Extract DPAPI-protected credentials

Common Workflows

Initial Reconnaissance

1

Get Site Information

Start with local site-info to identify the management point and site code
2

Check Client Version

Use local client-info to verify SCCM client version and compatibility
3

Comprehensive Analysis

Run local triage for complete log analysis and infrastructure discovery

Credential Extraction

1

Extract Secrets

Use local secrets -m wmi or local secrets -m disk to extract credentials
2

Get User Context

Run local user-sid to get current user’s hex SID for database operations
3

Verify Access

Use discovered credentials with other SharpSCCM commands

WMI Investigation

1

List Classes

Start with local classes to see available WMI classes
2

Examine Properties

Use local class-properties to understand class structure
3

Query Data

Extract specific data with local class-instances or local query

Prerequisites

  • Standard User: Most read-only operations (classes, properties, site-info)
  • Local Administrator: Required for secrets extraction and some WMI operations
  • SYSTEM: Optional for enhanced secrets extraction
  • SCCM client must be installed and configured
  • Client should be assigned to a site
  • WMI repository must be accessible and functional

Security Considerations

Local commands can expose sensitive information:
  • Network topology and server locations
  • Domain credentials including Network Access Accounts
  • Configuration details that aid in further attacks
  • User context and privilege information

Integration with Remote Commands

Local commands often provide essential information for remote operations: 
# Get site information locally
SharpSCCM local site-info
# Output: MP: ATLAS.APERTURE.SCI, Site: PS1

# Use for remote enumeration
SharpSCCM get collections -mp ATLAS.APERTURE.SCI -sc PS1

Performance Notes

  • WMI operations are typically fast (< 1 second)
  • Log analysis (triage) can take 20+ seconds
  • Secrets extraction may require elevated privileges and take several seconds
  • File operations depend on file size and disk performance