Skip to content

Conversation

@1058274
Copy link

@1058274 1058274 commented Aug 11, 2025

The block cipher algorithm for task sequence blobs in SCCM secret policies seems to have changed from 3DES to AES starting from (I believe) SCCM version 2403. You can recognize 3DES and AES blobs with the prefixes 8913 and 8A13 respectively. Surprisingly, none of the existing public SCCM tools seem to support this yet which can result in missing out on high-value credentials.

This PR adds support for the decryption of such AES-encrypted blobs when using ntlmrelayx with the --sccm-policies flag to dump secret policies from the SCCM MP using a relay. Testing has been done with Ludus SCCM Lab that by default runs on a version before 2403 and which you can manually upgrade to the latest available version on the SCCM site server. This allows easily reproducing the situation before and after.

@anadrianmanrique anadrianmanrique added the medium Medium priority item label Aug 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

medium Medium priority item

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants