This lightning talk presents a real red-team case study focused on SCCM backup secret decryption. Using a public SCCM lab environment (GOAD SCCM), we demonstrate the complete offline process for decrypting SCCM backup secrets, without requiring access to a live SCCM server. Although the approach has been briefly mentioned in a few articles and tweets, it has never been shown concretely from start to finish. So, we went deep to clearly reproduce and document each step, making it easier for you to use it in your future red-team operations.

The technique is especially valuable when SCCM backups are found on network shares or other exposed locations, a scenario that is surprisingly common in real-world environments. We will explain how SCCM backup-secret encryption works, highlight the artifacts that must be collected, and present a step-by-step decryption workflow. To support this, we will also share a decryption script, enabling you to reproduce the process during your next assessments and SCCM hacking. Have fun, as we did!