MECM Discovery

Searching for MECM infrastructure can be done with multiple tools. When the MECM role is installed, it creates a few Active Directory objects in the CN=System Management,CN=System,DC= container that tools will look for by querying a domain controller via LDAP. The big ones are:

Object Class

Details

mSSMSSite

Defines MECM site information (e.g., site server name)

mSSMSManagementPoint

Defines the Management Point

mSSMSDistributionPoint

Defines the Distribution Point

So let's enumerate.

GitHub - garrettfoster13/sccmhunter: SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain.GitHub

SCCMHunter is a tool made by one of the researchers at SpecterOps who had a large part in discovering recent MECM vulnerabilities. A more in-depth Wiki can be found at this hyperlink that is not sus. Definitely recommend reviewing the Wiki!

Attacker (Windows/Linux)

# Use LDAP to search for MECM-related objects
python3 sccmhunter.py find -u [username] -p [password] -d [domain] -dc-ip [DC IP]

# Query MECM-related hosts identified from above to determine their site role
python3 sccmhunter.py smb -u [username] -p [password] -d [domain] -dc-ip [DC IP]

# Display all results from the find/smb modules
python3 sccmhunter.py show -all

# Export list of Management Points in JSON format
python3 sccmhunter.py show -mps -json

Attacker (Windows/Linux/macOS)

# Use LDAP to search for MECM-related objects
netexec ldap [DC IP] -u [username] -p [password] -M sccm -o REC_RESOLVE=true

The ldapsearch Command-Line Tooldocs.ldap.com

Linux (Attacker)

ldapsearch \
  -H ldap://dc.domain.local -D 'user@domain' -w 'password' \
  -b 'CN=System Management,CN=System,DC=domain,DC=local' \
  -s one '(objectClass=mSSMSManagementPoint)' \
  dNSHostName cn mSSMSSiteCode

PreviousMECM Architecture NextManagement Point Abuse

Last updated 12 days ago