GraphLattice
← All field notes
sccm configmgrntlm relay coercionfor administrators

SCCM takeover: a recoverable credential and a coercible site server

SCCM offers two primitives: a recoverable Network Access Account credential and a coercible site server. Resetting one account fixes neither, so you close coercion, credential, and relay.

· GraphLattice · 2 min read

Microsoft Configuration Manager manages much of the estate, which makes it effectively a Tier-0 asset. Two design weaknesses make it a takeover target, and fixing one account addresses neither.

How the attack works

First, the Network Access Account credential is distributed in policy and recoverable from the credential protection store on any managed client, and it is a reusable domain account. The attacker decrypts it from machine policy on a client. Second, automatic client push installation can be induced so the site server authenticates outbound to an attacker-controlled host. That coerced authentication is relayed to a privileged service such as the directory service or the certificate enrollment endpoint, and the relayed or account-derived access is used to gain control over privileged directory objects, moving toward domain dominance. In ATT&CK terms this is T1552, Unsecured Credentials, with T1557, Adversary-in-the-Middle. The tell is the account used outside its normal scope plus coerced, relayed site-server authentication.

Why it works

Two primitives chain: a recoverable, reusable domain credential and a coercible-then-relayable authentication. Relay protections were not enforced, so the coerced authentication was accepted downstream.

How to fix it

Resetting the one relayed account leaves both primitives intact. Close all three legs together: disable automatic client push to remove the coercion, rotate the Network Access Account or move to enhanced HTTP so no such account is needed, and require SMB signing and Extended Protection for Authentication so the coerced authentication cannot be relayed. Long term, eliminate the account by moving to PKI, permanently disable client push in favor of a controlled install method, and harden the SCCM tier as Tier-0. Trace the account and site-server authentications to scope what was reached.

Practice it

We built this as a GraphLattice Range scenario so administrators can rehearse the coercion-and-relay detection and the three-pronged containment.

More field notes

Browse all →

ADCS ESC14: a writable mapping that turns any cert into admin

An attacker writes an explicit certificate mapping onto a privileged account and, u…

ADCS ESC2: the certificate template that hands out admin access

A template with the Any Purpose EKU lets any low-privileged user enroll a certifica…

AdminSDHolder abuse: when your cleanup is reverted every hour

A rogue ACE on AdminSDHolder is re-stamped onto every privileged object hourly by S…