H3-2025-0062
SCCM Hierarchy Takeover via NTLM Coercion and Relay to SMB
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 8.8 |
Description
By default, the Active Directory domain computer accounts for primary site servers (including CAS site servers) and passive site servers are granted membership in their respective site database server's local Administrators group. An attacker with valid Active Directory domain credentials can coerce NTLM authentication from one of these privileged accounts and relay it to the site database server via SMB. This allows the attacker to gain administrative access to the database system, extract service account credentials, and use Kerberos delegation techniques to authenticate to the MSSQL database service. Once authenticated to the database, the attacker can grant any domain account the SCCM 'Full Administrator' role.
Impact
The SCCM 'Full Administrator' security role grants all permissions in Configuration Manager for all scopes and collections. An attacker with this privilege can execute arbitrary programs on any online client device as SYSTEM, the currently logged on user, or as a specific user when they next log on. They can also leverage tools such as CMPivot and Run Script to query or execute scripts on client devices in real-time using the AdminService or WMI on an SMS Provider. This attack provides complete control over the SCCM infrastructure and all managed endpoints.
References
- TAKEOVER-2: Hierarchy takeover via NTLM coercion and relay to SMB on remote site database
- SCCM Hierarchy Takeover: One Site to Rule Them All
- PREVENT-12: Require SMB signing on site systems
- PREVENT-20: Block unnecessary connections to site systems
- DETECT-1: Monitor site server domain computer accounts authenticating from another source
- MITRE ATT&CK Technique: TA0004: Privilege Escalation