Analysis updated 2026-07-18 · repo last pushed 2025-12-04
Map SCOM admin relationships and code-execution paths across monitored servers in a target network.
Find all SCOM administrators and trace their control down to specific monitored client systems.
Visualize the entire SCOM infrastructure topology inside an existing BloodHound graph session.
| specterops/scomhound | 0xtotem/peek-dspy | ant-research/memdreamer | |
|---|---|---|---|
| Stars | 42 | 42 | 42 |
| Language | Python | Python | Python |
| Last pushed | 2025-12-04 | — | — |
| Maintenance | Quiet | — | — |
| Setup difficulty | moderate | moderate | hard |
| Complexity | 3/5 | 3/5 | 5/5 |
| Audience | ops devops | developer | researcher |
Figures from each repo's GitHub metadata at analysis time.
Requires an existing BloodHound and Neo4j setup plus valid Active Directory credentials or Kerberos tickets to query the target environment.
SCOMHound is a security tool that helps red team operators and penetration testers map out SCOM (System Center Operations Manager) infrastructure within an organization's network. It extends BloodHound, a popular tool for visualizing attack paths in Active Directory environments, by adding visibility into SCOM-specific relationships that attackers could exploit. SCOM is Microsoft's monitoring platform used to track the health and performance of servers and applications across an enterprise. From an attacker's perspective, it's a valuable target because SCOM administrators can execute code on monitored systems, deploy agents, and access credentials. This tool queries Active Directory for SCOM-related objects and feeds that data into BloodHound's graph, creating visual maps showing who administers what, which servers manage which groups, and which client systems are being monitored. The tool maps out several node types: management groups (the central administrative unit), management servers, SCOM administrators, monitored clients, and SDK service accounts. It then draws relationships between them, showing administrative control, group membership, and monitoring connections. The key attack path it reveals is straightforward: if you compromise a SCOM administrator, you gain the ability to run code on every system that management group monitors. The included Cypher queries let users quickly find all admins, trace paths from admin accounts down to monitored clients, or view the entire SCOM infrastructure at once. This is a proof-of-concept from SpecterOps, the company behind BloodHound, built on their OpenGraph framework. It's designed for security professionals who already use BloodHound and want to close a visibility gap around SCOM environments. The project is still maturing, the README notes ongoing work to fix parsing of Data Access accounts, add web console enumeration, and build high-privilege collection capabilities. Installation uses uv, a Python package manager, and authentication supports standard credentials, Kerberos, and hash-based methods common in offensive security workflows.
SCOMHound maps Microsoft SCOM monitoring infrastructure into BloodHound's attack-path graphs, revealing which SCOM admins can run code on monitored systems across an enterprise network.
Mainly Python. The stack also includes Python, BloodHound, OpenGraph.
Quiet — no commits in 6-12 months (last push 2025-12-04).
No license is specified in the project, so default copyright applies and use may be restricted.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.