Documentation overview

Feel free to add me on Discord (ice0) or linkedin if you have any questions about the attacks or setting up the SCCM lab.

This is just a walkthrough. All credit for the original research on SCCM goes to the people at SpecterOps, Synacktiv, and MWR CyberSec.

Changelog

21/05/2025 - Added Domain Credentials in PXE boot images/files to the SCCM - Other page.
21/05/2025 - Will soon add stuff about WSUS/more takeover attacks.

SCCM Misconfiguration Manager Walkthrough

SCCM Basics

General SCCM Information

RECON 1, 2, 3, 4 and 5

CRED 1, 2, 3, 4, 5 and 6

ELEVATE 1, 2 and 3

TAKEOVER 1, 2, 3 and 8

EXEC 1 and 2

Additional SCCM attacks