SharpSCCM: SCCM Security Assessment Toolkit
SharpSCCM is a powerful post-exploitation tool designed to leverage Microsoft System Center Configuration Manager (SCCM) / Microsoft Endpoint Configuration Manager for credential gathering, lateral movement, and privilege escalation without requiring access to the SCCM administration console GUI.What is SharpSCCM?
SharpSCCM exploits common SCCM misconfigurations and inherent design weaknesses to demonstrate the security risks associated with poorly configured SCCM environments. The tool operates from any Windows machine running the SCCM client software and leverages Windows Management Instrumentation (WMI) and the ConfigMgr Client Messaging SDK to communicate with SCCM infrastructure.Research Foundation: This tool is built upon extensive security research by @_Mayyhem and incorporates techniques developed by the security community, including work by Matt Nelson, Adam Chester, Duane Michael, and Garrett Foster.
Core Capabilities
Credential Harvesting
Credential Harvesting
Extract sensitive credentials from SCCM infrastructure:
- Network Access Accounts (NAAs): Retrieve domain credentials used for distribution point access
- Collection Variables: Access credentials stored in collection-level variables
- Task Sequence Credentials: Extract passwords from operating system deployment sequences
- Policy Secret Decryption: Decrypt DPAPI-protected credential blobs
Lateral Movement
Lateral Movement
Move laterally through the environment using SCCM as a C2 framework:
- Application Deployment: Execute commands on remote systems via application deployment
- Script Execution: Run PowerShell scripts and binaries across collections
- User Impersonation: Execute applications in specific user contexts
- Collection Targeting: Target specific devices or users for operations
NTLM Coercion & Relay
NTLM Coercion & Relay
Force authentication for credential relay attacks:
- Client Push Installation: Coerce NTLM authentication from site servers
- WebClient Exploitation: Leverage WebClient for HTTP-based authentication
- SMB Relay: Force connections to attacker-controlled SMB shares
- Domain Controller Targeting: Relay authentication to domain controllers
Information Gathering
Information Gathering
Enumerate SCCM infrastructure and gather intelligence:
- Site Discovery: Identify site servers and management points via LDAP
- Admin Enumeration: List SCCM administrators and their roles
- Device & User Discovery: Enumerate managed devices and users
- Configuration Analysis: Analyze site settings and security configurations
AdminService API Abuse
AdminService API Abuse
Leverage the SCCM AdminService REST API for advanced operations:
- CMPivot Queries: Execute arbitrary CMPivot queries for data collection
- Real-time Intelligence: Gather system information from managed endpoints
- Custom Queries: Run tailored queries for specific intelligence requirements
- JSON Output: Retrieve structured data for further analysis
Attack Methodology
SharpSCCM follows a structured approach to SCCM exploitation:1
Discovery & Reconnaissance
Identify SCCM infrastructure, site codes, management points, and site servers through LDAP queries and local client configuration analysis.
2
Credential Extraction
Extract stored credentials from policies, task sequences, and collection variables using DPAPI decryption techniques.
3
Privilege Escalation
Leverage extracted credentials or SCCM roles to gain higher privileges within the domain or SCCM hierarchy.
4
Lateral Movement
Use SCCM’s application deployment and script execution capabilities to move laterally across the network.
5
Persistence & Control
Establish persistence through SCCM configurations and maintain control over managed endpoints.
Key Features
No Console Required
Operates without needing access to the SCCM administration console GUI
Client-Side Execution
Runs from any Windows machine with the SCCM client installed
WMI Integration
Leverages WMI and ConfigMgr Client Messaging SDK for communication
Comprehensive Coverage
Addresses multiple attack vectors and SCCM security weaknesses
Prerequisites & Requirements
- Environment
- Permissions
- Network Access
Minimum Requirements:
- Windows machine with SCCM client installed
- Domain-joined system (for most operations)
- Network connectivity to SCCM management points
- Local administrator privileges (for credential extraction)
- SCCM administrative access for full functionality
- Valid domain credentials
- PKI certificates (if site requires them)
Quick Start Guide
Build SharpSCCM
Compile the tool from source code with Visual Studio
Command Reference
Learn the command-line syntax and common options
Credential Extraction
Start with credential harvesting techniques
Lateral Movement
Execute commands on remote systems via SCCM
Command Categories
Information Gathering Commands
Information Gathering Commands
get Command Group - Extract information from SCCM infrastructure:get site-info- Discover site servers and management pointsget admins- Enumerate SCCM administratorsget devices- List managed devices and usersget collections- Discover device and user collectionsget applications- View available applications
Credential Harvesting Commands
Credential Harvesting Commands
get secrets / local secrets - Extract stored credentials:- Network Access Account credentials
- Collection variable passwords
- Task sequence credentials
- DPAPI-protected policy secrets
Lateral Movement Commands
Lateral Movement Commands
exec Command - Execute code on remote systems:- Application deployment for command execution
- Script execution across collections
- NTLM coercion and relay operations
- User impersonation techniques
Infrastructure Manipulation
Infrastructure Manipulation
new / remove Commands - Modify SCCM infrastructure:- Create and delete applications
- Manage collections and deployments
- Add/remove collection members
- Device registration operations
Advanced Operations
Advanced Operations
invoke Command Group - Advanced SCCM operations:- CMPivot query execution via AdminService
- Client push authentication coercion
- Policy update enforcement
- Custom WQL query execution
Security Considerations
Responsible Use Guidelines
1
Authorization
Obtain explicit written authorization before testing against any SCCM infrastructure
2
Scope Limitation
Clearly define the scope of testing and avoid systems outside the authorized scope
3
Impact Assessment
Understand the potential impact of operations, especially application deployments
4
Documentation
Document all activities for compliance and remediation purposes
5
Cleanup
Remove any artifacts created during testing (applications, collections, etc.)
Defensive Recommendations
For comprehensive defensive guidance, see our Security Recommendations page, which covers:- SCCM hardening best practices
- Detection and monitoring strategies
- Incident response procedures
- Security configuration checklists
Development & Lab Setup
Minimum Lab Components:- CM1: Configuration Manager Primary Site Server, Management Point, and Site Database Server
- GW1: Configuration Manager Client
- DC1: Domain Controller
Research & Publications
Primary Research by @_Mayyhem:- Coercing NTLM Authentication from SCCM
- Relaying NTLM Authentication from SCCM Clients
- SCCM Site Takeover via Automatic Client Push Installation
- SCCM Hierarchy Takeover
Community Research & Tools
Related Research & Tools
Related Research & Tools
Project Support & Contributors
Sponsorship: This project is supported by SpecterOps as part of their commitment to transparency and open-source security research.
Core Contributors
Duane Michael
@subat0mik
- NAA credential gathering techniques
- DPAPI implementation contributions
Evan McBroom
@EvanMcBroom
- Credential recovery enhancements
- Core functionality improvements
Diego Lomellini
@DiLomSec1
- CMPivot AdminService integration
- API enhancement contributions
Carsten Sandker
@0xcsandker
- PXE media certificate support
- Security enhancement features
Adam Chester
@xpn
- NAA deobfuscation research
- Cryptographic implementation guidance
Matt Nelson
@enigma0x3
- PowerSCCM foundation work
- Original offensive SCCM research