Skip to content

SCCM Indexing and Filelib Hash Resolution#181

Closed
ZephrFish wants to merge 446 commits intoSnaffCon:masterfrom
ZephrFish:master
Closed

SCCM Indexing and Filelib Hash Resolution#181
ZephrFish wants to merge 446 commits intoSnaffCon:masterfrom
ZephrFish:master

Conversation

@ZephrFish
Copy link
Contributor

@ZephrFish ZephrFish commented Oct 9, 2025

Needs more testing in broader environments HOWEVER this is working in my home lab with 8 machines

Add SCCM integration with automatic discovery and content library resolution:

  • Implement SCCM share discovery (SCCMContentLib$, SCCM$, etc.)
  • Add content library file hash resolution using DataLib index
  • Support for INI-based content hash lookups and file mapping
  • LRU cache for efficient repeated hash resolutions
  • Detection rules for SCCM deployment packages and content files
  • Hash resolution logic borrowed from CMLoot for accurate file identification, if you're curious about the logic I read the blog post originally here then found the tool

New components:

  • SCCMDiscovery.cs: Automatic SCCM share enumeration
  • SCCMContentLibResolver.cs: Content library hash resolution
  • SCCMFileMapping.cs: File path to content hash mapping
  • LRUCache.cs: Caching layer for performance
  • KeepSCCMContentFiles.toml: Detection rule for SCCM content

Integration points:

  • ShareFinder: SCCM share detection and prioritization
  • TreeWalker: SCCM-aware file enumeration
  • FileClassifier: SCCM content identification

l0ss and others added 30 commits June 15, 2021 08:07
fixed up some noisy rules, made Main() public so can load with ps ref…
Fixed false positives stemming from 'net user?' regex
Fixed horrible false-pos rule in ruby code.
…his code because I'm bad at git. Sorry mate.
…nd is accurate and distinguishes between write and modify!
ZephrFish and others added 23 commits September 30, 2024 16:14
Updated -n flag to take an input file allowing for parsing list of target hosts
Additional detection of unquoted credentials which are used with for example the parameter -password
Changing the rule identifying client secrets to identify unquoted secrets as well.
Change an existing rule to find more candy.
Additional regex in KeepPassOrKeyInCode.toml
…rgetIPList

Add ReverseDNSLookup in SnaffCon.cs to fix SnaffCon#161 for named target IPs
added .ucs file extension for F5 appliance backups, cheers plugger!
Update KeepInfraAsCodeConfigByExtension.toml
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Fix for passing target Domain without target DC or DC as FQDN instead of IP - also made -i accept comma separated list
@ZephrFish ZephrFish changed the title SCCM Indexing and Resolution SCCM Indexing and Filelib Hash Resolution Oct 9, 2025
@ZephrFish
Copy link
Contributor Author

Have pushed changes to fix auto checks with CI build :)

Add SCCM integration with automatic discovery and content library resolution:

- Implement SCCM share discovery (SCCMContentLib$, SCCM$, etc.)
- Add content library file hash resolution using DataLib index
- Support for INI-based content hash lookups and file mapping
- LRU cache for efficient repeated hash resolutions
- Detection rules for SCCM deployment packages and content files
- Hash resolution logic borrowed from CMLoot for accurate file identification

New components:
- SCCMDiscovery.cs: Automatic SCCM share enumeration
- SCCMContentLibResolver.cs: Content library hash resolution
- SCCMFileMapping.cs: File path to content hash mapping
- LRUCache.cs: Caching layer for performance
- KeepSCCMContentFiles.toml: Detection rule for SCCM content

Integration points:
- ShareFinder: SCCM share detection and prioritization
- TreeWalker: SCCM-aware file enumeration
- FileClassifier: SCCM content identification

.NET Framework updates:
- Update TargetFrameworkVersion from v4.5.1 to v4.8 to match SnaffCore.csproj
- Resolves CI build compatibility issues
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.