/SCOMDecrypt

SCOMDecrypt is a tool to decrypt stored RunAs credentials from SCOM servers

Primary LanguageC#

SCOMDecrypt - SCOM Credential Decryption Tool

Released as open source by NCC Group Plc - http://www.nccgroup.trust/

Developed by Richard Warren, richard [dot] warren [at] nccgroup [dot] trust

http://www.github.com/nccgroup/SCOMDecrypt

Released under AGPL, see LICENSE for more information

Introduction

This tool is designed to retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases.

For background, please see the NCC Group blog post here

Pre-requisites

To run the tool you will require administrative privileges on the SCOM server. You will also need to ensure that you have read access to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\MOMBins

You can check manually that you can see the database by gathering the connection details from the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseName

Usage

The tool comes in two formats.The first is a C# binary which can simply be run on the SCOM server with no arguments as following:

.\SCOMDecrypt.exe
[+] <SCXUser><UserId>bob</UserId><Elev>sudo</Elev></SCXUser>:H a c k T h e P l a n e t
[+] administrator:W i n t e r 2 0 1 5 !
[+] alice:P a s s w 0 r d 1 2 3 !

There is also a PowerShell version of the tool too. This is useful in a post-exploitation scenario for use with tools such as Cobalt Strike or Empire. To use the tool with Cobalt Strike:

powershell-import C:\path\to\SCOMDecrypt.ps1
powershell Invoke-SCOMDecrypt
[+] <SCXUser><UserId>bob</UserId><Elev>sudo</Elev></SCXUser>:H a c k T h e P l a n e t
[+] administrator:W i n t e r 2 0 1 5 !
[+] alice:P a s s w 0 r d 1 2 3 !

To run within the PowerShell console:

powershell.exe -exec bypass
. .\Invoke-SCOMDecrypt.ps1
Invoke-SCOMDecrypt
...