SCCM - Recon
SCCM Recon Techniques
Basic enumeration
For a lab without DNS resolution (add to your hosts file):
RECON-1 - Enumerate SCCM via LDAP
Check if SCCM is used and retrieve general information:
You should also do this with sccmhunter:
This does not just look for AD objects called SCCM or MECM. It first looks for the container called System Management. If SCCM is installed then this name is always used. So if there is none then there is no SCCM in the AD environment. There could still be PXE though.
RECON-2 - Enumerate SCCM via SMB
Site server > look for SMS in share names: https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/RECON/RECON-2/recon-2_description.md#site-server-shares
Distribution point > REMINST file share indicates that Windows Deployment Services is installed on the host and it is likely a PXE enabled distribution point. https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/RECON/RECON-2/recon-2_description.md#distribution-point
Check all computers for SCCM related shares:
Or with sccmhunter (and save PXEBoot variables files, if found):
RECON-3 - Enumerate SCCM roles via HTTP
The Management points (MP) hosts several web applications for multiple functions, including client communication, policy distribution, and health monitoring, for example: http://sccm-mgmt.ludus.domain/CCM_System_WindowsAuth
This HTTP endpoint on a management point can also be checked with sccmhunter and is needed for the CRED-2 attack:
RECON-4 - Query client devices via CMPivot
ConfigMgr exposes the AdminService REST API, which in turn exposes methods to perform CMPivot queries.
- Your user needs to be part of the SMS Admins local group on any site server or you will get access denied errors, meaning you will need SCCM admin privs such as Full administrator.
About SMS Admins:
To grant access to WMI and the AdminService, SCCM creates the “SMS Admins” local security group on each SMS Provider in the hierarchy. Membership of this group is managed by SCCM from the RBAC_Admins table stored in the site database. When an administrative user is added or removed from the role in the Site Database, that change is replicated to all SMS Providers. This in turn updates the membership for the SMS Admins local security group accordingly. By default, the site server machine account is also a member of the SMS Admins group.
See the full commands list here: https://github.com/garrettfoster13/sccmhunter/wiki/admin#commands
For example you can query the users/admins and their permissions:
Or get all collections and then view the clients that are part of the collection etc:
RECON-5 - Locate users via SMS Provider
User device affinity is a relationship created between a client device and a user account to identify devices that users frequently access to perform their work (e.g., their workstations and laptops).
Attackers can assume that these users either have an active session or may log onto these systems again, in which case stored credentials in memory could be used to conduct further actions in the context of that user. For example, they could identify devices where a member of the Domain Admins group is the primary user or the last to log on and move laterally to the system or coerce NTLM authentication to compromise their account (EXEC-1).
In sccmhunter admin module:
- get_lastlogon > Query for devices the target recently signed in
- get_puser > Query for devices the target is a primary user
Or target the clients and look for active DA sessions (example; workstation with DA logged on):
