Yes, its what it says in the title.
A group named NCC Group Plc did an amazing job and made reverse engineering to the SCOM run-as accounts.
Making story short and giving a very big credit to the group i will make a very short explanation on what they did:
Using a small PowerShell script or build an EXE file you can run simple commands against your SCOM server and extract all of the runs as accounts passwords.
Those are the steps in short:
● Calls the SecureStorageManager.Initialize() method and reads in the encrypted RSA private key value stored at: “SOFTWARE\\Microsoft\\System Center\\2010\\Common\\MOMBins”
● Queries the dbo.MachineKey table to retrieve the following
● Decrypts the private key using DPAPI.
● The private key is used to decrypt the masterKey and masterIV
● The masterKey and masterIV are used to decrypt the credential data using AES 256.
from hear to there running the PowerShell will do this:
[+] bobsudo:H a c k T h e P l a n e t
[+] administrator:W i n t e r 2 0 1 5 !
[+] alice:P a s s w 0 r d 1 2 3 !