Admin & Special Account Enumeration

Theory

Administrative privileges over the SCCM Management Point (MP) are required to query the MP's WMI database for admin and special accounts. This enumeration step allows identifying SCCM administrators and special service accounts configured within the SCCM infrastructure.

For additional attack techniques and defense strategies related to SCCM enumeration, refer to the following techniques from the Misconfiguration-Manager repository:

• RECON-1: LDAP Enumeration
• RECON-2: SMB Enumeration
• RECON-3: HTTP Enumeration
• RECON-5: SMS Provider Enumeration
• RECON-6: Remote Registry Enumeration
• RECON-7: Local File Site Enumeration

Practice

Admin users can be enumerated using the following command:

SharpSCCM.exe get class-instances SMS_ADMIN

Admin user enumeration in SCCM

Special accounts can be enumerated using the following command:

SharpSCCM.exe get class-instances SMS_SCI_Reserved

Special Account Enumeration in SCCM

Resources

https://www.securesystems.de/blog/active-directory-spotlight-attacking-the-microsoft-configuration-manager/

https://github.com/subat0mik/Misconfiguration-Manager/tree/main/attack-techniques/RECON