-
Notifications
You must be signed in to change notification settings - Fork 84
Home
SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain. The basic function of the tool is to query LDAP with the find module for potential SCCM related assets. This is achieved through ACL recon of objects created during the deployment process when extending the AD schema, resolving any published Management Points, as well as by performing queries for the keywords "SCCM" or "MECM". This list of targets is then profiled with the SMB module by checking the remarks for default shares required by assets configured with certain SCCM roles. Additionally, the module checks for the SMB signing status of the host and performs further profiling of other SCCM services, such as if if the MSSQL service is running or if the host is an SMS Provider. All of this helps paint a picture for potential attack paths in the environment. Once profiling is complete, the operator can target abusing client enrollment with the HTTP (@_xpn_) module accounts, use the MSSQL (@_mayyhem) module to grab the necessary syntax for complete site server takeover, or use the DPAPI module to extract Network Access Accounts from a comprimised SCCM client. Finally, if a hierarchy takeover is successful, the admin module is available for post exploitation and lateral movement.
This tool was developed and tested in a lab environment. Your mileage may vary on performance. If you run into any problems please don't hesitate to open an issue.
Thanks to @_Mayyhem for letting me steal their Wiki format!