What starting position does this attack require?

The first step is Authenticate as NAA (T1078) — a initial access primitive. Assumed environment: workstation is SCCM-managed (client installed) and uses an NAA for software distribution.

What is the final impact of this kill-chain?

The final step lands on Read NAA from CIM_NetworkAccessAccount (AD-SCCM-NAA), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

SCCM Network Access Account disclosure → privileged creds

Any authenticated user on a SCCM-managed endpoint can recover the Network Access Account credentials from WMI / client cache — and the NAA is usually over-privileged.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Authenticate as NAA

T1078 · Valid Accounts

Initial Access

Local user on managed endpoint

T1078 · Valid Accounts

Privilege Escalation

Local SYSTEM (UAC bypass / token)

T1548 · Abuse Elevation Control Mechanism

Or local admin.

Discovery

BloodHound for NAA → path to DA

AD-BLOODHOUND · BloodHound / SharpHound Enumeration

Credential Access

Read NAA from CIM_NetworkAccessAccount

AD-SCCM-NAA · SCCM Network Access Account Disclosure

SharpSCCM.exe local secrets

§ Context

Assumed environment: workstation is SCCM-managed (client installed) and uses an NAA for software distribution. The NAA password is decryptable by the local SYSTEM account.

§ Steps

01
Authenticate as NAAInitial Access
T1078— Valid Accounts
02
Local user on managed endpointInitial Access
T1078— Valid Accounts
03
Local SYSTEM (UAC bypass / token)Privilege Escalation
T1548— Abuse Elevation Control Mechanism
Or local admin.
04
BloodHound for NAA → path to DADiscovery
AD-BLOODHOUND— BloodHound / SharpHound Enumeration
05
Read NAA from CIM_NetworkAccessAccountCredential Access
AD-SCCM-NAA— SCCM Network Access Account Disclosure
SharpSCCM.exe local secrets

§ References

T1078Valid Accounts
T1548Abuse Elevation Control Mechanism

§ Frequently asked

What is the "SCCM Network Access Account disclosure → privileged creds" attack path?: Any authenticated user on a SCCM-managed endpoint can recover the Network Access Account credentials from WMI / client cache — and the NAA is usually over-privileged. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Authenticate as NAA (T1078) — a initial access primitive. Assumed environment: workstation is SCCM-managed (client installed) and uses an NAA for software distribution.
What is the final impact of this kill-chain?: The final step lands on Read NAA from CIM_NetworkAccessAccount (AD-SCCM-NAA), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

SCCM Network Access Account disclosure → privileged creds

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Leaked legacy VPN credential → ransomware (Colonial-class)

Citrix Bleed → steal authenticated session → MFA bypass

WriteDACL on a privileged user → ForceChangePassword → takeover

GenericWrite on Domain Admins → AddMember → DA

Unconstrained delegation → Capture DC TGT → DCSync

Group Policy Preferences cpassword → user takeover