AD-SCCM-MSSQLLateral Movement

SCCM MSSQL Site Database Abuse

Direct MSSQL access to the site DB grants Full Administrator rights by inserting a row in RBAC_Admins.

§ Where this technique fits

AD-SCCM-MSSQL is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 5 on average.

§ Dossiers chaining this technique

SCCM site takeover via NTLM relay (Takeover-1)
Coerce the SCCM site server to authenticate, relay to MSSQL on the site database, and grant yourself Full Administrator inside SCCM.
step 5 / 7

§ What commonly comes next

01
SCCM Site Takeover (Takeover-1…8)
AD-SCCM-RELAY · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

SCCM site takeover via NTLM relay (Takeover-1)

§ What commonly comes next