| Codename | Description |
|---|---|
| TAKEOVER‑1 | Hierarchy takeover via NTLM coercion and relay to MSSQL on remote site database |
| TAKEOVER‑1.1: Coerce primary site server | |
| TAKEOVER‑1.2: Coerce SMS Provider | |
| TAKEOVER‑1.3: Coerce passive site server | |
| TAKEOVER‑2 | Hierarchy takeover via NTLM coercion and relay to SMB on remote site database |
| TAKEOVER‑2.1: Coerce primary site server | |
| TAKEOVER‑2.2: Coerce passive site server | |
| TAKEOVER‑3 | Hierarchy takeover via NTLM coercion and relay to HTTP on ADCS |
| TAKEOVER‑3.1: Coerce primary site server | |
| TAKEOVER‑3.2: Coerce SMS Provider | |
| TAKEOVER‑3.3: Coerce passive site server | |
| TAKEOVER‑3.4: Coerce site database server | |
| TAKEOVER‑4 | Hierarchy takeover via NTLM coercion and relay from CAS to origin primary site server |
| TAKEOVER‑4.1: Relay to SMB | |
| TAKEOVER‑4.2: Relay to AdminService | |
| TAKEOVER‑5 | Hierarchy takeover via NTLM coercion and relay to AdminService on remote SMS Provider |
| TAKEOVER‑5.1: Coerce primary site server | |
| TAKEOVER‑5.2: Coerce passive site server | |
| TAKEOVER‑6 | Hierarchy takeover via NTLM coercion and relay to SMB on remote SMS Provider |
| TAKEOVER‑6.1: Coerce primary site server | |
| TAKEOVER‑6.2: Coerce passive site server | |
| TAKEOVER‑7 | Hierarchy takeover via NTLM coercion and relay to SMB between primary and passive site servers |
| TAKEOVER‑7.1: Coerce primary site server | |
| TAKEOVER‑7.2: Coerce passive site server | |
| TAKEOVER‑8 | Hierarchy takeover via NTLM coercion and relay HTTP to LDAP on domain controller |
| TAKEOVER‑8.1: Coerce primary site server | |
| TAKEOVER‑8.2: Coerce SMS Provider | |
| TAKEOVER‑8.3: Coerce passive site server | |
| TAKEOVER‑8.4: Coerce site database server | |
| TAKEOVER‑9 | Hierarchy takeover via crawling site database links configured with DBA privileges |
Takeover Techniques List
Converted from Markdown to