Skip to content

SpecterOps/SCOMHound

BranchesTags

Repository files navigation

SCOMHound

A BloodHound OpenGraph proof of concept extension for enumerating System Center Operations Manager (SCOM) infrastructure from Active Directory.

image

In progress

  • Fix parsing and ingesting the Data Access account
  • Add HTTP enum for Web Management Console
  • Build high privilege collection

Installation

Install uv

curl -LsSf https://astral.sh/uv/install.sh | sh


git clone https://github.com/SpecterOps/SCOMHound.git
cd SCOMHound
uv sync
uv run

Usage

Command Line Options

(scomhound) ➜  SCOMHound git:(master) ✗ uv run main.py -h
usage: main.py [-h] -u USERNAME [-p PASSWORD] [-hashes LMHASH:NTHASH] [-aes HEX KEY] [-k KERBEROS] [-no-pass NO_PASS] [-d DOMAIN] [-dc-ip DC_IP] [-ldaps LDAPS] [-fqdn FQDN]

System Center Operations Manager (SCOM) OpenGraph Extension

options:
  -h, --help            show this help message and exit
  -u, --username USERNAME
                        username
  -p, --password PASSWORD
                        password
  -hashes LMHASH:NTHASH
                        LM and NT hashes, format is LMHASH:NTHASH
  -aes HEX KEY          AES key to use for Kerberos Authentication (128 or 256 bits)
  -k, --kerberos KERBEROS
                        Use Kerberos authentication
  -no-pass NO_PASS      don't ask for password (useful for -k)
  -d, --domain DOMAIN   target domain
  -dc-ip DC_IP          target DC IP Address
  -ldaps LDAPS          Use LDAPS instead of LDAP
  -fqdn FQDN            FQDN of domain controller

Node Types

SCOMMgmtGrp

Represents a SCOM Management Group. The central administrative unit for SCOM infrastructure.

SCOMMgmtSvr

Represents a SCOM Management Server. Servers that perform monitoring and management tasks.

SCOMAdmin

Represents administrators with full control over SCOM management groups.

SCOMMgmtGrpClient

Represents systems monitored by SCOM.

SCOMSdk

Represents SCOM SDK service accounts.

Edge Types

AdminTo

Represents administrative control over a SCOM management group.

Source: SCOMAdmin Target: SCOMMgmtGrp

Abuse Info: Administrators with AdminTo privileges can perform any management operation within the SCOM infrastructure, including deploying agents, executing tasks, and accessing credentials.

ManagesGroup

Represents management servers that are members of a management group.

Source: SCOMMgmtSvr Target: SCOMMgmtGrp

Monitors

Represents monitoring relationships between management groups and clients.

Source: SCOMMgmtGrp Target: SCOMMgmtGrpClient

Abuse Info: The monitoring relationship implies the ability to execute code on monitored systems via SCOM tasks, patches, or agent updates. Compromising the management group provides a path to compromise all monitored clients.

References: PLACHOLDER

Cypher Queries

Show all SCOM nodes

MATCH (n:SCOMBase)
RETURN n
LIMIT 50

Show complete SCOM infrastructure

MATCH p=(admin:SCOMAdmin)-[:AdminTo]->(mg:SCOMMgmtGrp)
OPTIONAL MATCH p2=(server:SCOMMgmtSvr)-[:ManagesGroup]->(mg)
OPTIONAL MATCH p3=(mg)-[:Monitors]->(client:SCOMMgmtGrpClient)
RETURN p, p2, p3

Find attack paths from admins to clients

MATCH p=(admin:SCOMAdmin)-[:AdminTo]->(mg:SCOMMgmtGrp)-[:Monitors]->(client:SCOMMgmtGrpClient)
RETURN p

Find all admins for SCOM

MATCH (admin:SCOMAdmin)-[:AdminTo]->(mg:SCOMMgmtGrp)
RETURN admin.name, mg.name
ORDER BY admin.name

Find management servers

MATCH (server:SCOMMgmtSvr)-[:ManagesGroup]->(mg:SCOMMgmtGrp)
RETURN server.name, mg.name
ORDER BY mg.name

Credits

Built with BloodHound OpenGraph framework

Built with bhopengraph by @@podalirius_

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

29 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages