SCOM Enumeration LDAP Module

[Ghost7926]

Description

This tool is a "netexec port" of the find function within SCOMHunter. This enumerates for specific SPNs utilized in SCOM to identify if it is used within the environment and/or configured in a vulnerable state.
This code was created while using Claude Sonnet with my direction of how the code will function and look. I reviewed each line for how it functions to ensure it operates how I've intended.
This code specifically searches for MSOMHSvc/* and MSOMSdkSvc/* SPNs. These SPNs are connected to the SCOM management server and SCOM Data Access Service account respectively. When these are on the same host, it opens up a relaying vulnerability for SCOM. Spector Ops Scommand and Conquer Part 1 blog outlines this. Additionally, I will be releasing a blog of my own that will thoroughly outline this attack.

References
https://specterops.io/blog/2025/12/10/scommand-and-conquer-attacking-system-center-operations-manager-part-1/
https://github.com/garrettfoster13/scomhunter

I am currently writting a blog and will publish it demonstrating this tool and this vulnerability.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)
• This PR was created with the assistance of AI (list what type of assistance, tool(s)/model(s) in the description)
  • It created the code of the project, I've reviewed the code myself for any errors.

Setup guide for the review

No setup or alteration required, it is a simple ldap query and logic.

Screenshots (if appropriate):

I tried to model it off SCCM's output

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (poetry: poetry run ruff check ., use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
• I have performed a self-review of my own code (not an AI review)
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[NeffIsBack]

Very interesting, thanks for the PR! Haven't looked into that yet, will do when I got some time.