Skip to main content
CodenameMatrix ShortnameDescriptionSecurity ContextNetwork Access
CRED‑1PXE CredentialsRetrieve secrets from PXE boot mediaUnauthenticatedInternal network
CRED‑2Policy Request CredentialsRequest machine policy and deobfuscate secretsDomain computer credsInternal network
CRED‑3DPAPI CredentialsDump currently deployed secrets via WMIClient device adminAny
CRED‑4Legacy CredentialsRetrieve legacy secrets from the CIM repositoryClient device adminAny
CRED‑5Site Database CredentialsRetrieve credentials from the site databasePrimary site server admin, site database readInternal network
CRED‑6Looting Distribution PointsLoot Distribution Points via SMB or SCCMDomain User or Unauthenticated (at times)Any
CRED‑7AdminService API CredentialsRetrieve credentials via AdminService APISCCM administratorInternal network
ELEVATE‑1Relay to Site System (SMB)NTLM relay site server to SMB on site systemsDomain user credsInternal network
ELEVATE‑2Relay Client Push InstallationNTLM relay via automatic client push installationDomain user credsInternal network
ELEVATE‑3Relay Client Push InstallationNTLM relay via automatic client push installation and AD System DiscoveryDomain user credsInternal network
ELEVATE‑4PXE PKI CredentialsDistribution Point Takeover via PXE Boot SpoofingUnauthenticatedInternal network
ELEVATE‑5OSD PKI CredentialsDistribution Point Takeover via OSD Media RecoveryDomain user credsInternal network
EXEC‑1App DeploymentApplication deploymentSCCM administratorInternal network
EXEC‑2Script DeploymentPowerShell script executionSCCM administratorInternal network
RECON‑1LDAP EnumerationEnumerate SCCM site information via LDAPAuthenticated domain userInternal network
RECON‑2SMB EnumerationEnumerate SCCM roles via SMBAuthenticated domain userInternal network
RECON‑3HTTP EnumerationEnumerate SCCM roles via HTTPAuthenticated domain userInternal network
RECON‑4CMPivotQuery client devices via CMPivotSCCM administratorInternal network
RECON‑5SMS Provider EnumerationLocate users via SMS ProviderSCCM administratorInternal network
RECON‑6Remote Registry EnumerationSCCM Site System Role Enumeration via Remote RegistryAuthenticated domain userInternal network
RECON‑7Local File Site NumerationSCCM Site Enumeration via Local Files on ClientsLocal admin on SCCM clientInternal network
TAKEOVER‑1Relay to Site DB (MSSQL)NTLM coercion and relay to MSSQL on remote site databaseDomain user credsInternal network
TAKEOVER‑2Relay to Site DB (SMB)NTLM coercion and relay to SMB on remote site databaseDomain user credsInternal network
TAKEOVER‑3Relay to AD CSNTLM coercion and relay to HTTP on AD CSDomain user credsInternal network
TAKEOVER‑4Relay CAS to ChildNTLM coercion and relay from CAS to origin primary site serverDomain user credsInternal network
TAKEOVER‑5Relay to AdminServiceNTLM coercion and relay to AdminService on remote SMS ProviderDomain user credsInternal network
TAKEOVER‑6Relay to SMS Provider (SMB)NTLM coercion and relay to SMB on remote SMS ProviderDomain user credsInternal network
TAKEOVER‑7Relay Between HANTLM coercion and relay to SMB between primary and passive site serversDomain user credsInternal network
TAKEOVER‑8Relay to LDAPNTLM coercion and relay HTTP to LDAP on domain controllerDomain user credsInternal network
TAKEOVER‑9SQL Linked as DBACrawl site database links configured with DBA privilegesAuthenticated database userInternal network
COERCE‑1CMPivot coercionNTLM coercion via CMPivot queryCMPivot administratorInternal network
COERCE‑2CcmExec CoercionNTLM coercion via SCNotification AppDomainManager InjectionLocal admin on SCCM clientInternal network