Documentation overview
Feel free to add me on Discord (ice0) or linkedin if you have any questions about the attacks or setting up the SCCM lab.
This is just a walkthrough. All credit for the original research on SCCM goes to the people at SpecterOps, Synacktiv, and MWR CyberSec.
Changelog
-
14/08/2025 - I will add the new SCCM techniques when I have time.
-
21/05/2025 - Added Domain Credentials in PXE boot images/files to the SCCM - Other page.
AD - SCCM
SCCM - Basics
SCCM Basics
SCCM - General
General SCCM Information
SCCM - RECON
RECON 1, 2, 3, 4 and 5
SCCM - CRED
CRED 1, 2, 3, 4, 5 and 6
SCCM - ELEVATE
ELEVATE 1, 2 and 3
SCCM - TAKEOVER
TAKEOVER 1, 2, 3 and 8
SCCM - EXEC
EXEC 1 and 2
SCCM - OTHER
Additional SCCM attacks