sccm
misc::sccm
decrypts the password field in the SC_UserAccount
table in the SCCM database. According to Benjamin (gentilkiwi), the passwords are encrypted with the key embedded in the value (3DES if encounter 0x6603
**** at offset 0x0c
). This key is protected by the Microsoft Systems Management Server
RSA key but there are many other things like global secret
, exchange cert
, and some PFX sometimes. It has the following command line arguments:
keyuser
: the specific user to targetkeycontainer
: the exported private keyconnectionstring
: an example is __DRIVER={SQL Server};Trusted=true;DATABASE=CM_PRD;SERVER=myserver.fqdn\instancename;
.
This command requires elevated privileges (by previously running privilege::debug
or by executing Mimikatz as the NT-AUTHORITY\SYSTEM
account).
Based on Benjamin's suggestion misc::sccm
can be run:
on the SCCM server (with original private key on system and DB access)
on another system (with private key exported and exported DB - or original)
The following image was borrowed from this tweet:
Last updated