Decrypting credentials from SCCM site servers configured for high availability

Back in 2022, Adam Chester released a C# Proof of Concept (PoC) to decrypt credentials vaulted by Microsoft’s System Center Configuration Manager (SCCM), such as Client Push Accounts, NAA’s, etc., when run on an SCCM Site Server. This original PoC can be found here, and the decryption process was further expanded upon in a companion tweet thread here. While this was the first time I had heard about credential decryption in SCCM, as Adam noted in his tweet thread, he had essentially recreated the functionality of the already existing misc:sccm module of Mimikatz, originally added to the tool in 2021. Adam’s code for credential decryption was subsequently incorporated into other toolsets (e.g., I shamelessly ripped it off and tossed it into SQLRecon).

This worked out quite well for us on our adversary simulation engagements for the most part, and we were able to pull credentials from the SCCM database and decrypt them on the site server as expected. However, periodically, we would run into issues where, for whatever reason, decryption of credentials failed completely. It quickly became apparent that, for some reason, encrypted credentials in these environments were formatted using a completely different structure than the typical blob that could be processed, resulting in existing options (that I found) for credential decryption failing.

I wasn’t able to find a great answer online to address this discrepancy, but not being able to recover passwords from SCCM in some environments ended up being a back-burner problem for our team as typically if you’re at a point where you have admin privileges on an SCCM Site Server, you can escalate through one of several other additional paths (e.g., script creation + execution on a client, injecting into a privileged session on the host, etc.). While not immediately impactful, it was always super annoying for me when I found an encrypted domain admin password that was *right* there, but I couldn’t resolve it to plaintext, and I was never happy that I couldn’t explain the formatting discrepancy.

This stuck around as one of those projects to get to “eventually” until an explanation of the root cause of this discrepancy led to me digging into SCCM encryption internals and figuring out both exactly why and what was happening with encryption in SCCM.