SCCMSecrets.py: exploiting SCCM policies distribution for credentials harvesting — Quentin Roland
Date : 06 juin 2025 à 10:45 — 15 min.
SCCM policies are a prime target for attackers in Active Directory environments as they may expose – intentionally or otherwise – sensitive technical information such as account credentials. Said credentials could be retrieved by authenticated attackers impersonating a registered device, or in some cases from an unauthenticated position by exploiting misconfigurations on policies distribution.
This talk will present the SCCMSecrets.py (https://github.com/synacktiv/SCCMSecrets) tool that aims to provide an exhaustive approach regarding SCCM policies distribution exploitation. After a quick reminder regarding SCCM (now MECM) environments and SCCM policies, the presentation will showcase concrete exploit demonstrations using SCCMSecrets.py. It will also explain how these attacks were implemented into impacket's ntlmrelayx and show how to execute them via NTLM relaying.