H3-2025-0058
SCCM Hierarchy Takeover via NTLM Coercion and Relay
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 8.8 |
Description
System Center Configuration Manager (SCCM) site servers, SMS Provider systems, and passive site servers are granted the 'db_owner' role in their respective site's MSSQL database by default. An attacker with valid Active Directory domain credentials can coerce NTLM authentication from one of these privileged systems and relay it to the site database. This allows the attacker to execute arbitrary SQL statements with db_owner privileges, enabling them to grant any domain account the SCCM 'Full Administrator' role. The attack requires that the site database is not hosted on the same system being coerced for authentication.
Impact
The SCCM 'Full Administrator' security role grants all permissions in Configuration Manager for all scopes and collections. An attacker with this privilege can execute arbitrary programs on any online client device as SYSTEM, the currently logged on user, or as a specific user when they next log on. They can also leverage tools such as CMPivot and Run Script to query or execute scripts on client devices in real-time using the AdminService or WMI on an SMS Provider.
References
- TAKEOVER-1: Hierarchy takeover via NTLM coercion and relay to MSSQL on remote site database
- SCCM Hierarchy Takeover: One Site to Rule Them All
- PREVENT-14: Enable Extended Protection for Authentication on MSSQL
- PREVENT-20: Restrict Network Access to Site Servers and SMS Providers
- DETECT-1: Monitor Site Server Domain Computer Accounts for Anomalous Authentication
- MITRE ATT&CK Technique: TA0004: Privilege Escalation