PowerSCCM - PowerShell module to interact with SCCM databases for both offensive & defensive applications.

PowerSCCM – PowerShell module to interact with SCCM databases for both offensive & defensive applications.

PowerSCCM is a Functions to facilitate connections to and queries from SCCM databases for both offensive and defensive applications. The code is kept PowerShell Version 2.0 compliant with no external dependencies.

Usage:
PowerSCCM will keep track of established SCCM database sessions, allowing you to reuse these sessions with common queries. To establish a new session, use New-SCCMSession along with the name of the computer with the SCCM database (-ComputerName) and the SCCM site database name (-DatabaseName):
New-SCCMSession -ComputerName SCCM.testlab.local -DatabaseName CM_LOL

This session is now stored in $Script:SCCMSessions and reusable by Get-SCCMSession.

To find the available SCCM databases on a server you have access to, use Find-SCCMDatabase:
Find-SCCMDatabase -ComputerName SCCM.testlab.local

To retrieve all current SCCM session objects, us Get-SCCMSession with optional -Id, -Name, -ComputerName, or -DatabaseName arguments. To close and remove a session, use Remove-SCCMSession with any of the same arugments, or the -Session argument for a SCCM session object (passable on the pipeline).
Get-SCCMSession | Remove-SCCMSession

Functions to facilitate connections to and queries from SCCM databases for both offensive and defensive applications.

Functions to facilitate connections to and queries from SCCM databases for both offensive and defensive applications.

SCCM Database/Server Functions

Various functions that deal with querying/changing information concerning the SCCM database or server, as opposed to dealing with querying inventoried client information.

Find-SCCMDatabase

Finds the accessible SCCM databases given a MSSQL server.
+ Get-SCCMApplicationCI : Returns information on user-deployed applications in an SCCM database.
+ Get-SCCMPackage : Returns information on user-deployed packages in an SCCM database.
+ Get-SCCMConfigurationItem : Returns SCCM configuration items in an SCCM database.
+ Set-SCCMConfigurationItem : Sets a field to a particular value for a SCCM configuration keyed by CI_ID.
+ Get-SCCMCollection : Returns SCCM collections that exist on the primary site server.
+ Get-SCCMCollectionMember : Returns SCCM collection members.

Get-SCCM*

Query functions require -Session (passable on the pipeline):
– Get-SCCMSession | Get-SCCMRecentlyUsedApplication | Export-CSV -NoTypeInformation recent_apps.csv
– Get-SCCMRecentlyUsedApplication -Session $Session | Export-CSV -NoTypeInformation recent_apps.csv
All of these functions also share a common set of optional parameters:

-Newest – return only the X newest entries from the database.
-OrderBy – order the results by a particular field.
-Descending – if -OrderBy is set, display results in descending order.
-ComputerNameFilter – only return results for a particular computer name.
-TimeStampFilter – the SCCM collection timestamp to filter on, accepts <> operators.
Each function also has a set of custom -XFilter parameters that allow for query filtering on specific field names/values.

+ Get-SCCMService : Returns information on the current set of running services as of the last SCCM agent query/checkin.
+ Get-SCCMServiceHistory : Returns information on the historical set of running services as of the last SCCM agent query/checkin.
+ Get-SCCMAutoStart : Returns information on the set of autostart programs as of the last SCCM agent query/checkin.
+ Get-SCCMProcess : Returns information on the set of currently running processes as of the last SCCM agent query/checkin.
+ Get-SCCMProcessHistory : Returns information on the historical set of running processes as of the last SCCM agent query/checkin.
+ Get-SCCMRecentlyUsedApplication : Returns information on recently launched applications on hosts as of the last SCCM agent query/checkin.
+ Get-SCCMDriver : Returns information on the set of currently laoded system drivers as of the last SCCM agent query/checkin.
+ Get-SCCMConsoleUsage : Returns historical information on user console usage as of the last SCCM agent query/checkin.
+ Get-SCCMSoftwareFile : Returns information on inventoried non-Microsoft software files. This option is not enabled by default in SCCM- we recommend setting SCCM to inventory all *.exe files on hosts.
+ Get-SCCMBrowserHelperObject : Returns information on discovered browser helper objects. This option is not enabled by default in SCCM.
+ Get-SCCMShare : Returns information on discovered shares.This option is not enabled by default in SCCM.
+ Get-SCCMPrimaryUser : Returns user/machine pairings where the user is set as a ‘Primary User’ through SCCM.

Find-SCCM*
+ Meta-functions that use the Get-SCCM* query functions to find common ‘bad’ things. All of these functions -Session (passable on the pipeline).
+ Find-SCCMRenamedCMD : Finds renamed cmd.exe executables using Get-SCCMRecentlyUsedApplication and appropriate filters.
+ Find-SCCMUnusualEXE : Finds recently launched applications that don’t end in *.exe using Get-SCCMRecentlyUsedApplication and appropriate filters.
+ Find-SCCMRareApplication : Finds the rarest -Limit recently launched applications that don’t end in *.exe using Get-SCCMRecentlyUsedApplication and appropriate filters.
+ Find-SCCMPostExploitation : Finds recently launched applications commonly used in post-exploitation.
+ Find-SCCMPostExploitationFile : Finds indexed .exe’s commonly used in post-exploitation.
+ Find-SCCMMimikatz :Finds launched mimikatz instances by searching the ‘FileDescription’ and ‘CompanyName’ fields of recently launched applications.
+ Find-SCCMMimikatzFile : Finds inventoried mimikatz.exe instances by searching the ‘FileDescription’ field of inventoried .exe’s.

SCCM Active Directory Functions
+ Get-SCCMADForest : Returns information on Active Directory forests enumerated by SCCM agents.
+ Get-SCCMADUser : Returns information on Active Directory users enumerated by SCCM agents.
+ Get-SCCMADGroup : Returns information on Active Directory group enumerated by SCCM agents.
+ Get-SCCMADGroupMember : Returns information on Active Directory group membership enumerated by SCCM agents.

Download : PowerSCCM.zip
Source : https://github.com/PowerShellMafia