SCCM site takeover via NTLM relay (Takeover-1)

§ Context

Assumed environment: SCCM site server is reachable, the site DB is MSSQL with SMB signing not enforced for the relay path, and the site server has machine-account SMB auth enabled (typical).

§ Steps

1. 01
   Low-priv principal w/ network reachInitial Access

   T1078— Valid Accounts
2. 02
   Run SYSTEM script on every endpointExecution

   T1059— Command and Scripting Interpreter
3. 03
   ntlmrelayx to MSSQL site DBCredential Access

   T1557.001— LLMNR/NBT-NS Poisoning and SMB Relay
4. 04
   Coerce SCCM site server (PetitPotam)Privilege Escalation

   AD-SCCM-CLIENTPUSH— SCCM Client Push Installation Abuse
5. 05
   Full Administrator in SCCMPrivilege Escalation

   AD-SCCM-RELAY— SCCM Site Takeover (Takeover-1…8)
6. 06
   Insert into RBAC_Admins / promoteLateral Movement

   AD-SCCM-MSSQL— SCCM MSSQL Site Database Abuse
7. 07
   Enumerate SCCM (SharpSCCM)Discovery

   AD-NETEXEC— NetExec / CrackMapExec Sweep

   SharpSCCM.exe get site-info / get device

§ References

• T1078Valid Accounts
• T1059Command and Scripting Interpreter
• T1557.001LLMNR/NBT-NS Poisoning and SMB Relay

§ Frequently asked

What is the "SCCM site takeover via NTLM relay (Takeover-1)" attack path?

Coerce the SCCM site server to authenticate, relay to MSSQL on the site database, and grant yourself Full Administrator inside SCCM. It chains 7 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Low-priv principal w/ network reach (T1078) — a initial access primitive. Assumed environment: SCCM site server is reachable, the site DB is MSSQL with SMB signing not enforced for the relay path, and the site server has machine-account SMB auth enabled (typical).

What is the final impact of this kill-chain?

The final step lands on Enumerate SCCM (SharpSCCM) (AD-NETEXEC), which falls under Discovery. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  WSUS over HTTP → push code to managed clients

  Clients using an HTTP WSUS server can be MITM'd to receive an attacker-signed (but Microsoft-trusted) auxiliary update that executes arbitrary commands as SYSTEM.

• Shared techniques2

  io_uring UAF → modprobe_path overwrite → root

  Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.

• Shared techniques2

  nf_tables UAF → kernel R/W → root

  CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.

• Shared techniques2

  BYOVD → kernel-level disable of EDR callbacks

  From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.

• Shared techniques2

  Process doppelgänging → spawn signed image with attacker bytes

  Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.

• Shared techniques2

  F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

  Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.