đź““ Jorkle's Notes

SCCM Knowledge for Pentesting Interviews

Dec 15, 20258 min read

SCCM/MECM Knowledge for Penetration Testing Interviews

Why SCCM Matters for Penetration Testers

SCCM/MECM is extremely common in enterprise environments and represents one of the highest-impact post-exploitation targets. During interviews, demonstrating knowledge of SCCM shows:

  • Understanding of enterprise infrastructure
  • Awareness of lateral movement opportunities
  • Knowledge of privilege escalation vectors
  • Familiarity with real-world attack chains

Technical Fundamentals to Know

Architecture & Communication Flow

Basic Client-to-Infrastructure Flow:

  1. Client contacts Management Point via HTTP/HTTPS (default: 80/443)
  2. MP provides policy and content location information
  3. Client downloads content from Distribution Point via HTTP/HTTPS or SMB (445)
  4. Client reports status back to MP

Key Ports:

  • 80/443 - Client to MP communication, client to DP (HTTP/HTTPS)
  • 445 - SMB for DP content delivery, Client Push installation
  • 1433 - SQL Server database (site database)
  • 10123 - Client notification (fast channel for real-time actions)

Database Structure Basics

The SCCM site database is SQL Server-based and contains tables for:

  • Computer and User inventory - Hardware specs, installed software, user data
  • Collections - Groupings of devices/users
  • Packages and Applications - Software deployment definitions
  • Deployments - What gets deployed where and when
  • Credentials - Stored accounts (often reversible encrypted)

Important Schema Knowledge:

  • Tables often prefixed with v_ (views) like v_R_System (devices), v_GS_COMPUTER_SYSTEM (computer info)
  • Credentials stored in tables like SC_UserAccount, SC_ClientPushInstall_Property
  • WMI classes mirror database structure (e.g., SMS_R_System)

WMI Namespaces

SCCM heavily uses WMI for both client-side and server-side operations:

Server-Side (on site systems):

  • root\SMS\site_<sitecode> - Primary management namespace via SMS Provider
  • Contains classes like SMS_Package, SMS_Collection, SMS_Application
  • Used by admin console and scripts to manage SCCM

Client-Side (on managed endpoints):

  • root\CCM - Client agent namespace
  • root\CCM\Policy - Client policy storage
  • Contains client configuration, cached credentials, deployment info

Service Accounts & Authentication

Common SCCM Service Accounts:

  • Site Server Computer Account - Usually runs site server services, often has high privileges
  • Client Push Installation Account - Used to install clients remotely (requires local admin on targets)
  • Network Access Account (NAA) - Used by clients to access DPs when they lack machine account authentication
  • SQL Server Service Account - Runs SQL Server instance
  • Reporting Services Account - Access for SSRS integration

Authentication Flows:

  • Clients authenticate to MPs using machine certificates or PKI
  • Fallback to HTTP with lesser security if HTTPS not configured
  • Service accounts often have domain-wide or forest-wide access

Deployment Mechanisms

Understanding how SCCM deploys software is crucial:

Deployment Types:

  1. Applications - Modern method with detection logic, dependencies, requirements
  2. Packages - Legacy method, just copies files and runs commands
  3. Task Sequences - Multi-step processes (OS deployment, complex configurations)
  4. Software Updates - Patch management via WSUS integration
  5. Scripts - PowerShell/VBScript execution (introduced in later versions)

Execution Context:

  • Deployments typically run as SYSTEM on the target
  • This is why SCCM compromise = instant SYSTEM on all managed endpoints
  • Can be targeted at device collections or user collections

Client Agent Components

The SCCM client (CcmExec service) consists of multiple agents:

  • Software Distribution Agent - Handles application/package deployments
  • Software Updates Agent - Manages patches
  • Inventory Agent - Collects hardware/software inventory
  • Policy Agent - Retrieves and evaluates policy
  • State Messaging Agent - Reports status to MP

Client Cache:

  • Located at C:\Windows\CCMCache by default
  • Stores downloaded content before execution
  • Can contain sensitive data, scripts, credentials

Collections and Targeting

Collection Types:

  • Device Collections - Groups of computers/devices
  • User Collections - Groups of users

Membership Rules:

  • Direct Rule - Manually added members
  • Query Rule - Dynamic based on WQL queries (like SQL for WMI)
  • Include/Exclude Rules - Reference other collections

Key Built-in Collections:

  • All Systems - Every discovered device
  • All Users and User Groups - Every discovered user/group
  • Understanding collection limiting is important

Discovery Methods

SCCM discovers devices and users through various methods:

  • Active Directory System Discovery - Queries AD for computer objects
  • Active Directory User Discovery - Queries AD for user objects
  • Active Directory Group Discovery - Discovers groups
  • Network Discovery - Scans network ranges
  • Heartbeat Discovery - Client self-reports

This is why SCCM databases contain comprehensive network maps.

Boundaries and Boundary Groups

Boundaries define network locations using:

  • IP subnet ranges
  • AD site names
  • IPv6 prefixes
  • IP address ranges

Boundary Groups associate boundaries with:

  • Site assignment (which site manages clients)
  • Content location (which DPs serve content)

Understanding boundaries helps explain why certain DPs are used.

Interview-Relevant Talking Points

When Discussing SCCM in Interviews

If asked about SCCM attack vectors, structure your answer:

  1. Discovery/Reconnaissance:

    • “First, I’d identify SCCM infrastructure through port scans (80/443 for MPs, 445 for DPs)”
    • “Check for SCCM client installations on compromised hosts (CcmExec service, CCM directory)”
    • “Enumerate site code from registry: HKLM\SOFTWARE\Microsoft\SMS\Identification”

  2. Initial Access via SCCM:

    • “Credential harvesting from SCCM client cache or policy”
    • “Network Access Account credentials often stored on clients”
    • “PXE boot exploitation if anonymous allowed”

  3. Lateral Movement:

    • “Client Push account credentials can provide admin access across environment”
    • “Compromised SCCM admin console access enables deployment to collections”
    • “SQL database access can expose service accounts”

  4. Privilege Escalation:

    • “Deployments run as SYSTEM - can create malicious applications”
    • “SMS Provider access allows modification of deployments”
    • “Site server compromise = domain-wide SYSTEM access potential”

  5. Persistence:

    • “Create scheduled deployments to collections”
    • “Modify existing applications to include backdoors”
    • “Add accounts to SCCM admin roles”

Technical Details That Impress

Show depth by mentioning:

  • “The SMS Provider uses WMI, so I’d check for WMI access to the root\SMS\site_<code> namespace”
  • “Client Push requires SMB and admin shares - great for detecting lateral movement opportunities”
  • “The Network Access Account is often domain-wide and stored reversibly encrypted in policy”
  • “SCCM admin rights don’t require domain admin, but can achieve equivalent access”
  • “Task Sequences can be weaponized for complex attack chains”

Real-World Context

Demonstrate practical understanding:

  • “SCCM is in most mid-to-large Windows environments - it’s almost guaranteed to be there”
  • “Organizations often trust SCCM traffic implicitly, making it great for blending in”
  • “SCCM databases are gold mines for network mapping and asset inventory”
  • “Compromising SCCM is often faster than attacking AD directly for domain dominance”

Common Interview Questions & Strong Answers

Q: “Have you tested SCCM in your lab environment?”

  • “Yes, I’ve set up a lab with a primary site server and practiced credential extraction, deployment creation, and policy manipulation”
  • “I’ve tested tools like SharpSCCM and PowerSCCM for enumeration and exploitation”

Q: “How would you approach an SCCM-heavy environment during a pentest?”

  • “After initial foothold, I’d check compromised hosts for SCCM clients and extract site information”
  • “Enumerate Management Points and Distribution Points through network reconnaissance”
  • “Look for systems with SCCM console installed - those accounts likely have admin access”
  • “Attempt to access the site database or SMS Provider for credential extraction”
  • “If I gain SCCM admin access, I can achieve rapid lateral movement via deployments”

Q: “What tools would you use for SCCM exploitation?”

  • “SharpSCCM for .NET-based enumeration and exploitation”
  • “PowerSCCM for PowerShell-based operations”
  • “Direct WMI queries for stealth”
  • “Custom SQL queries if database access is obtained”
  • “Built-in Configuration Manager console if available”

Q: “What makes SCCM a high-value target?”

  • “It’s a force multiplier - one compromise can lead to hundreds or thousands of systems”
  • “Deployments run as SYSTEM, providing the highest privilege level”
  • “It’s often trusted and less monitored than direct AD attacks”
  • “SCCM databases contain network topology, credentials, and complete asset inventories”

Technical Terms to Use Confidently

  • Site code - Three-character identifier
  • SMS Provider - WMI interface layer
  • Management Point (MP) - Client communication hub
  • Distribution Point (DP) - Content delivery system
  • CCMExec - Client service name
  • CCMCache - Client content cache location
  • Collections - Targeting mechanism
  • Task Sequence - Multi-step deployment
  • Network Access Account (NAA) - Client-to-DP authentication fallback
  • Client Push - Remote client installation method
  • Boundary Groups - Network location definitions

Red Flags to Avoid

Don’t say:

  • “I’ve never actually worked with SCCM” (implies lack of lab practice)
  • “SCCM is just for patch management” (shows limited understanding)
  • “I’d just attack Active Directory instead” (misses the opportunity)

Do say:

  • “SCCM is one of my priority targets in Windows environments”
  • “I’ve practiced SCCM exploitation in my lab”
  • “I understand the SCCM attack surface and common misconfigurations”

Hands-On Lab Skills to Develop

To back up your interview answers with real experience:

  1. Set up a basic SCCM lab

    • Install Windows Server and SCCM
    • Deploy a few clients
    • Practice basic administration

  2. Practice enumeration

    • Identify SCCM infrastructure from a compromised host
    • Extract site codes, MP/DP locations
    • Query WMI namespaces

  3. Credential extraction

    • Recover Network Access Account
    • Extract Client Push credentials
    • Dump credentials from site database

  4. Deployment creation

    • Create a benign application deployment
    • Target it to a test collection
    • Understand the full deployment lifecycle

  5. Tool familiarity

    • Run SharpSCCM commands
    • Use PowerSCCM modules
    • Write custom WMI queries

Additional Resources

For deeper preparation:

  • SpecterOps SCCM research - Industry-standard attack research
  • SharpSCCM GitHub - Tool documentation and techniques
  • “SCCM Site Takeover” blog posts - Common attack scenarios
  • Microsoft SCCM documentation - Official technical reference

Bottom Line for Interviews

Core message to convey: “SCCM is a critical enterprise infrastructure component that provides significant attack surface. Understanding its architecture, authentication mechanisms, and deployment capabilities allows me to identify high-impact attack paths. In engagements, SCCM compromise often provides faster domain-wide access than traditional AD attacks, making it a priority target.”

This demonstrates:

  • âś… Technical depth
  • âś… Real-world relevance
  • âś… Strategic thinking
  • âś… Practical experience
  • âś… Understanding of attacker/defender perspectives

Graph View

Backlinks

  • No backlinks found