You’re on a red team engagement and stumble across an SCCM database and site-server backup on a network share. Jackpot ... or maybe not? The database holds the keys to powerful domain credentials, but the secrets are encrypted. Normally, you’d rely on a live SCCM server to decrypt them, but that’s too privileged, you don't have access or too noisy for your operation. So what’s next? In this blog post, we show how SCCM backup secrets can be decrypted fully offline, and outline the exact artifacts you need to loot to make it work.

In this repo you find a step-by-step documentation on how to decrypt SCCM backup secrets offline. We did not discover an innovative technique, but mainly pieced together various articles, tweets (highlight to Gentilkiwi and XPN) and considerations that can be found online, in a single repo and for easy use. This might save you sweat and time in your next red team mission. Have fun!

The repo includes:

• PDF file with the full article.
• Python script to ease decryption of SCCM secrets offline.

Just provide the encrypted SCCM account secret you find in the SC_UserAccount table and the plaintext SCCM RSA private key.

Note: You first need to retrieve the SCCM RSA private key from the SCCM site server and various key material required to decrypt it. Read the article to see what and how :)

python offlineSCCMdecrypt.py <encrypted_DB_entry> <SCCM_RSA_PVK_file>

Although I am publishing the article and documenting the process, most merit should be given to my colleagues Maxime Clementz and Hayk Gevorgyan which executed it during a mission, and Claudiu Pancotan which reproduced it independently few weeks before we did.