# sccm `misc::sccm` decrypts the password field in the `SC_UserAccount` table in the SCCM database. According to Benjamin (gentilkiwi), the passwords are encrypted with the key embedded in the value (3DES if encounter `0x6603` \*\*\*\* at offset `0x0c`). This key is protected by the `Microsoft Systems Management Server` RSA key but there are many other things like `global secret`, `exchange cert`*,* and some PFX sometimes. It has the following command line arguments: * `keyuser`: the specific user to target * `keycontainer`: the exported private key * `connectionstring`: an example is \_\_ `DRIVER={SQL Server};Trusted=true;DATABASE=CM_PRD;SERVER=myserver.fqdn\instancename;`. {% hint style="info" %} This command requires elevated privileges (by previously running [`privilege::debug`](/mimikatz/modules/privilege/debug.md) or by executing Mimikatz as the `NT-AUTHORITY\SYSTEM` account). {% endhint %} {% hint style="info" %} Based on [Benjamin's suggestion](https://twitter.com/gentilkiwi/status/1399826927112830979?s=20) `misc::sccm` can be run: * on the SCCM server (with original private key on system and DB access) * on another system (with private key exported and exported DB - or original) {% endhint %} The following image was borrowed from [this tweet](https://twitter.com/gentilkiwi/status/1392204021461569537): ![Decrypt passwords in the SCCM database](/files/TFrcHurA8SbwqJyb0xSr) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://tools.thehacker.recipes/mimikatz/modules/misc/sccm.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.