gitwtfhub

wtf is scomhound?

specterops/scomhound — explained in plain English

Analysis updated 2026-07-18 · repo last pushed 2025-12-04

42PythonAudience · ops devopsComplexity · 3/5QuietSetup · moderate

TL;DR

SCOMHound maps Microsoft SCOM monitoring infrastructure into BloodHound's attack-path graphs, revealing which SCOM admins can run code on monitored systems across an enterprise network.

Mindmap

mindmap
  root((repo))
    What it does
      Maps SCOM infrastructure
      Feeds BloodHound graph
      Reveals attack paths
    Tech stack
      Python
      OpenGraph framework
      BloodHound
      uv package manager
    Use cases
      Find SCOM admins
      Trace paths to clients
      Visualize SCOM control
    Audience
      Red team operators
      Penetration testers
      Security professionals
    Concepts
      Management groups
      SCOM administrators
      Monitored clients

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Map SCOM admin relationships and code-execution paths across monitored servers in a target network.

REASON 2

Find all SCOM administrators and trace their control down to specific monitored client systems.

REASON 3

Visualize the entire SCOM infrastructure topology inside an existing BloodHound graph session.

What's in the stack?

PythonBloodHoundOpenGraphuvKerberos

How it stacks up

specterops/scomhound0xtotem/peek-dspyant-research/memdreamer
Stars424242
LanguagePythonPythonPython
Last pushed2025-12-04
MaintenanceQuiet
Setup difficultymoderatemoderatehard
Complexity3/53/55/5
Audienceops devopsdeveloperresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · moderate Time to first run · 30min

Requires an existing BloodHound and Neo4j setup plus valid Active Directory credentials or Kerberos tickets to query the target environment.

No license is specified in the project, so default copyright applies and use may be restricted.

Wtf does this do

SCOMHound is a security tool that helps red team operators and penetration testers map out SCOM (System Center Operations Manager) infrastructure within an organization's network. It extends BloodHound, a popular tool for visualizing attack paths in Active Directory environments, by adding visibility into SCOM-specific relationships that attackers could exploit. SCOM is Microsoft's monitoring platform used to track the health and performance of servers and applications across an enterprise. From an attacker's perspective, it's a valuable target because SCOM administrators can execute code on monitored systems, deploy agents, and access credentials. This tool queries Active Directory for SCOM-related objects and feeds that data into BloodHound's graph, creating visual maps showing who administers what, which servers manage which groups, and which client systems are being monitored. The tool maps out several node types: management groups (the central administrative unit), management servers, SCOM administrators, monitored clients, and SDK service accounts. It then draws relationships between them, showing administrative control, group membership, and monitoring connections. The key attack path it reveals is straightforward: if you compromise a SCOM administrator, you gain the ability to run code on every system that management group monitors. The included Cypher queries let users quickly find all admins, trace paths from admin accounts down to monitored clients, or view the entire SCOM infrastructure at once. This is a proof-of-concept from SpecterOps, the company behind BloodHound, built on their OpenGraph framework. It's designed for security professionals who already use BloodHound and want to close a visibility gap around SCOM environments. The project is still maturing, the README notes ongoing work to fix parsing of Data Access accounts, add web console enumeration, and build high-privilege collection capabilities. Installation uses uv, a Python package manager, and authentication supports standard credentials, Kerberos, and hash-based methods common in offensive security workflows.

Yoink these prompts

Prompt 1
Using SCOMHound with my BloodHound setup, how do I collect SCOM objects from Active Directory and import them so I can see which SCOM admins can execute code on monitored clients?
Prompt 2
Show me the Cypher queries SCOMHound includes for finding all SCOM administrators and tracing attack paths from admin accounts to monitored systems in BloodHound.
Prompt 3
How do I install and authenticate SCOMHound using uv with standard credentials or a Kerberos ticket for querying a target environment?
Prompt 4
What SCOM node types and relationships does SCOMHound add to BloodHound, and how do management groups connect to monitored clients through administrative control?

Frequently asked questions

wtf is scomhound?

SCOMHound maps Microsoft SCOM monitoring infrastructure into BloodHound's attack-path graphs, revealing which SCOM admins can run code on monitored systems across an enterprise network.

What language is scomhound written in?

Mainly Python. The stack also includes Python, BloodHound, OpenGraph.

Is scomhound actively maintained?

Quiet — no commits in 6-12 months (last push 2025-12-04).

What license does scomhound use?

No license is specified in the project, so default copyright applies and use may be restricted.

How hard is scomhound to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is scomhound for?

Mainly ops devops.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.