misc::sccm decrypts the password field in the SC_UserAccount table in the SCCM database. According to Benjamin (gentilkiwi), the passwords are encrypted with the key embedded in the value (3DES if encounter 0x6603 **** at offset 0x0c). This key is protected by the Microsoft Systems Management Server RSA key but there are many other things like global secret, exchange cert, and some PFX sometimes. It has the following command line arguments:
  • keyuser: the specific user to target
  • keycontainer: the exported private key
  • connectionstring: an example is __ DRIVER={SQL Server};Trusted=true;DATABASE=CM_PRD;SERVER=myserver.fqdn\instancename;.
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).
Based on Benjamin's suggestion misc::sccm can be run:
  • on the SCCM server (with original private key on system and DB access)
  • on another system (with private key exported and exported DB - or original)
The following image was borrowed from this tweet:
Decrypt passwords in the SCCM database
Last modified 1yr ago