AD-SCCM-CLIENTPUSHPrivilege Escalation

SCCM Client Push Installation Abuse

Coerce the site server's client-push account to authenticate, then relay or use it directly.

§ Where this technique fits

AD-SCCM-CLIENTPUSH is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

SCCM site takeover via NTLM relay (Takeover-1)
Coerce the SCCM site server to authenticate, relay to MSSQL on the site database, and grant yourself Full Administrator inside SCCM.
step 4 / 7

§ What commonly comes next

01
SCCM MSSQL Site Database Abuse
AD-SCCM-MSSQL · Lateral Movement
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

SCCM site takeover via NTLM relay (Takeover-1)

§ What commonly comes next