CRED-4 - CIM Repository

Description

Dump legacy secrets via CIM repository

The Network Access Account (NAA) is a domain account provisioned on a site server. The NAA account is used by SCCM clients to download software from the distribution point. Otherwise, it serves no other purpose within the configuration.

Regardless of whether a NAA account is configured or not, this method may still provide credential material.

Data stored within WMI classes can still exist with the CIM repository file, even long after the WMI class has been deleted or cleared of data. This file is located at C:\Windows\System32\wbem\Repository\OBJECTS.DATA

SharpDPAPI and SharpSCCM can be used to decrypted the encrypted data blobs and reveal the underlying credentials.

Requirements

Local administrator privileges on an SCCM client

SharpSCCM

SharpSCCM.exe local secrets -m disk

Defensive IDs

PREVENT-3: Harden or disable network access accounts
PREVENT-4: Configure Enhanced HTTP
PREVENT-10: Enforce the principle of least privilege for accounts
PREVENT-15: Disable legacy network access accounts in Active Directory

Last updated 9 months ago

Was this helpful?