Overview
Gather comprehensive information about the SCCM site from local log files. This command performs automated analysis of SCCM client logs to extract configuration details, network paths, URLs, and other reconnaissance data.Syntax
Parameters
This command requires no additional parameters beyond the standard debug and help options.Examples
Analysis Categories
Client Cache Analysis
Client Cache Analysis
Examines the SCCM client cache directory:
- Cache contents and file permissions
- Application packages stored locally
- Size and modification dates of cached content
- Access permissions for the current user
UNC Path Discovery
UNC Path Discovery
Searches logs for Universal Naming Convention paths:
- Distribution points and file shares
- Administrative shares (C)
- Application source paths
- Network resource locations
URL Enumeration
URL Enumeration
Extracts URLs from log files:
- Management point URLs and endpoints
- Distribution point URLs
- Web service endpoints
- Internal application URLs
Log Files Analyzed
Core Client Logs
Core Client Logs
- CcmExec.log - Main client executive service
- CcmMessaging.log - Client-server communication
- PolicyAgent.log - Policy processing and retrieval
- LocationServices.log - Site assignment and discovery
Application and Deployment Logs
Application and Deployment Logs
- AppEnforce.log - Application installation and enforcement
- AppDiscovery.log - Application detection
- DataTransferService.log - Content download operations
- SoftwareCatalogUpdateEndpoint.log - Software catalog updates
Setup and Configuration Logs
Setup and Configuration Logs
- ccmsetup.log - Client installation and setup
- ClientLocation.log - Management point discovery
- InternetProxy.log - Proxy configuration
Discovered Information Types
Network Infrastructure
Network Infrastructure
- Management point servers and ports
- Distribution point locations
- Internal network segments and IP ranges
- DNS names and FQDN patterns
Authentication Details
Authentication Details
- Authentication methods and endpoints
- Certificate information
- Service principal names (SPNs)
- Windows authentication vs. certificate authentication
Application Intelligence
Application Intelligence
- Deployed applications and versions
- Source file locations
- Download URLs and content hashes
- Installation command lines and parameters
Use Cases
Comprehensive Reconnaissance
Comprehensive Reconnaissance
First-stage reconnaissance to understand the complete SCCM environment layout, including servers, network paths, and configurations.
Lateral Movement Planning
Lateral Movement Planning
Identify network paths, shares, and servers that can be targeted for lateral movement within the environment.
Infrastructure Mapping
Infrastructure Mapping
Build a complete map of the SCCM infrastructure including management points, distribution points, and network topology.
Performance Considerations
Security Implications
Information gathered by triage can reveal:
- Internal network topology and server locations
- Administrative access patterns and privileged paths
- Application deployment methods and source locations
- Authentication mechanisms and security configurations
Related Commands
local grep- Search specific files for targeted informationlocal site-info- Get basic site configurationlocal client-info- Get client version informationget collections- Use discovered management points for remote enumeration