- Zach Stein released a Ludus SCCM lab that covers a lot of the techniques in this repo.
- @an0n_r0 released a Snap Labs range that can be used to test the majority of SCCM tradecraft in this repo.
- @M4yFly released an SCCM lab for the Game of Active Directory (GOAD) project that can be used with VMware or VirtualBox which also covers a lot of the tradecraft in this repo.
The following labs are options as well, but do not separate the site database or SMS Provider roles from the primary site server, preventing the use of the majority of TAKEOVER techniques:
- Active Directory Spotlight: Attacking The Microsoft Configuration Manager (SCCM/MECM), by Carsten Sandker (@0xcsandker)
- An Inside Look: How to Distribute Credentials Securely in SCCM, by Christopher Panayi
- Automating SCCM with Ludus: A Configuration Manager for Your Configuration Manager, by Zach Stein (@synzack21)
- Black Hat USA Arsenal 2022: SharpSCCM, by Chris Thompson (@_Mayyhem) and Duane Michael (@subat0mik)
- Black Hat USA Arsenal 2023: SharpSCCM - Abusing Microsoft's C2 Framework, by Chris Thompson (@_Mayyhem) and Diego Lomellini (@DiLomSec1)
- Black Hat USA SpecterOps Booth 2023: SharpSCCM - Abusing Microsoft's C2 Framework, by Chris Thompson (@_Mayyhem) and Diego Lomellini (@DiLomSec1)
- CISA Red Team Report Featuring SCCM, by CISA
- Client Push Installation Abuse, by Matt Nelson (@enigma0x3)
- CMLoot, by Tomas Rzepka (@1njected)
- cmloot, by Andreas Vikerup and Dan Rosenqvist
- CMPivot SharpSCCM Support, by Diego Lomellini (@DiLomSec1)
- Coercing NTLM Authentication from SCCM, by Chris Thompson (@_Mayyhem)
- Deobfuscator Implementation in Python, by @SkelSec
- Defending the Castle, by Tom Degreef and Kim Oppalfens
- Exploring SCCM by Unobfuscating Network Access Accounts, by Adam Chester (@xpn)
- Get Secrets via PXE Media Certificates SharpSCCM PR, by Carsten Sandker (@0xcsandker)
- Grow Your Own SCCM Lab, by @HTTP418
- Hierarchy Takeover without SOCKS, by Chris Thompson (@_Mayyhem)
- Identifying and Retrieving Credentials from SCCM/MECM Task Sequences, Christopher Panayi
- impacket SCCM Relay, by Matt Creel (@Tw1sm)
- Looting Microsoft Configuration Manager, by Tomas Rzepka (@1njected)
- Mimikatz misc::sccm, by Benjamin Delpy (@gentilkiwi)
- Mimikatz dpapi::sccm, by Benjamin Delpy (@gentilkiwi)
- MalSCCM, by Phil Keeble (@The_Keeb)
- Microsoft's Accidental Enterprise DFIR Tool, by Keith Tyler
- Offensive Operations with PowerSCCM, by Matt Nelson (@enigma0x3)
- Offensive SCCM Summary, by @HTTP418
- Owning One to Rule Them All, by Dave Kennedy (@HackingDave) and Dave DeSimone
- Network Access Accounts are evil..., by Roger Zander
- PowerSCCM, by Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Jared Atkinson (@jaredcatkinson), and Matt Graeber (@mattifestation)
- Pulling Passwords Out of Configuration Manager, by Christopher Panayi
- Push, by Vulnlab
- Push Comes to Shove: Exploring SCCM Attack Paths, by Brandon Colley (@TechBrandon)
- Push Comes to Shove Part 1, by Brandon Colley (@TechBrandon)
- Push Comes to Shove Part 2, by Brandon Colley (@TechBrandon)
- PXEThief, by Christopher Panayi
- pxethiefy, by Carsten Sandker (@0xcsandker)
- Red Team Ops SCCM Module, by Zero Point Security (@zeropointsecltd)
- Relaying NTLM Authentication from SCCM Clients, by Chris Thompson (@_Mayyhem)
- SCCM and Incident Response Part 1, by hexacorn
- SCCM and Incident Response Part 2, by hexacorn
- SCCM Credential Recovery for Network Access Accounts, by Evan McBroom (@mcbroom_evan)
- SCCM Decrypt POC, by Adam Chester (@xpn)
- SCCM w/ Garrett Foster (@garrfoster), by Brandon Colley (@TechBrandon) at Trimarc Happy Hour
- SCCM Exploitation: The First Cred is the Deepest II, by Gabriel Prud'homme (@vendetce)
- SCCM Exploitation: Account Compromise Through Automatic Client Push & AD System Discovery, by Marshall Price (@__mastadon)
- SCCM Exploitation: Evading Defenses and Moving Laterally with SCCM Application Deployment, by Marshall Price (@__mastadon)
- SCCM/MECM Hacker Recipes, by Charlie Bromberg (@_nwodtuhs)
- SCCM Hierarchy Takeover, by Chris Thompson (@_Mayyhem)
- SCCM Hierarchy Takeover with High Availability, by Garrett Foster (@garrfoster)
- SCCM Site Takeover via Automatic Client Push Installation, by Chris Thompson (@_Mayyhem)
- SCCM - Microsoft's Native C2, by @RedHeadSec
- sccmhunter, by Garrett Foster (@garrfoster)
- sccmwtf, by Adam Chester (@xpn)
- SCCM-Enumeration, by Cr0n1c
- SeeSeeYouExec: Windows Session Hijacking via CcmExec, by Andrew Oliveau (@AndrewOliveau)
- SharpDPAPI SCCM Credential Gathering Support, by Duane Michael (@subat0mik)
- SharpSCCM, by Chris Thompson (@_Mayyhem)
- Site Takeover via SCCM's AdminService API, by Garrett Foster (@garrfoster)
- Snaplabs SCCM Lab Template, by @an0n_r0
- SQLRecon SCCM Module, by Sanjiv Kawa (@sanjivkawa)
- Targeted Workstation Compromise with SCCM, by Matt Nelson (@enigma0x3)
- The Phantom Credentials of SCCM: Why the NAA Won't Die, by Duane Michael (@subat0mik)
- We Have C2 at Home: Leveraging Microsoft's C2 Framework, by Garrett Foster (@garrfoster)