ccmpwn.py - lateral movement script that leverages the CcmExec service to remotely hijack user sessions.
System Center Configuration Manager (SCCM) clients make use of the CcmExec service, which initiates the execution of C:\Windows\CCM\SCNotification.exe for every logged-in user. Leveraging the fact that SCNotification.exe is a .NET application, red team operators could modify its configuration file (C:\Windows\CCM\SCNotification.exe.config) to execute an AppDomainManager payload or coerce authentications as the affected users. This technique provides operators an alternative approach to credential dumping or process injection. Operators must have local administrator privileges on target system. Read more about this technique and defense recommendations at SeeSeeYouExec: Windows Session Hijacking via CcmExec.
Author: Andrew Oliveau (@AndrewOliveau)
ccmpwn.py can perform the following actions:
- exec - execute an AppDomainManager payload for every logged-in user. Specify your
-dlland malicious-configto upload to target - coerce - coerce
smborhttpauthentication for every logged-in user (-method). Specify computer for users to authentication to-computer - query - query logged-in users via WMI
- status - query CcmExec service status
pip3 install impacket
