CcmPwn: leverages the CcmExec service to remotely hijack user sessions

CcmPwn – lateral movement script that leverages the CcmExec service to remotely hijack user sessions.


System Center Configuration Manager (SCCM) clients make use of the CcmExec service, which initiates the execution of C:\Windows\CCM\SCNotification.exe for every logged-in user. Leveraging the fact that SCNotification.exe is a .NET application, red team operators could modify its configuration file (C:\Windows\CCM\SCNotification.exe.config) to execute an AppDomainManager payload or coerce authentications as the affected users. This technique provides operators with an alternative approach to credential dumping or process injection. Operators must have local administrator privileges on the target system.

Read more about this technique and defense recommendations at SeeSeeYouExec: Windows Session Hijacking via CcmExec.


git clone

pip3 install impacket



hijack user sessions  can perform the following actions:

  • exec – execute an AppDomainManager payload for every logged-in user. Specify your -dll and malicious -config to upload to the target
  • coerce – coerce smb or http authentication for every logged-in user (-method). Specify computer for users to authenticate to -computer
  • query – query logged-in users via WMI
  • status – query CcmExec service status

Copyright (C) 2024 mandiant