Skip to main content

Summary

An attacker may use coercion methods to force the the SCCM site server’s domain computer account to authenticate to an attacker-controlled machine and relay that authentication to another target. This elevation method enables privilege escalation and lateral movement if the attacker targets any other SCCM site system, as the site server requires local administrator privileges on other site systems. A defender can compare the Account Name field of Event ID: 4624 to that of the Source_Host field, or the static IP address of the site server to the Source Network Address field. If the site server’s domain computer account generates a successful logon event from a source that is not that site server, an NTLM relay attack may have taken place. The example below displays a successful logon event for the SCCM site server from a host that is not the site server. 
    Source_Host: server2.sccmlab.local
    An account was successfully logged on.

    Subject:
        Security ID:		S-1-0-0
        Account Name:		-
        Account Domain:		-
        Logon ID:		0x0

    Logon Information:
        Logon Type:		3
        Restricted Admin Mode:	-
        Virtual Account:		No
        Elevated Token:		No

    Impersonation Level:		Impersonation

    New Logon:
        Security ID:		S-1-5-21-549653051-3181377268-3861266315-1105
        Account Name:		SCCM$
        Account Domain:		SCCMLAB
        Logon ID:		0x36E669
        Linked Logon ID:		0x0
        Network Account Name:	-
        Network Account Domain:	-
        Logon GUID:		{00000000-0000-0000-0000-000000000000}

    Process Information:
        Process ID:		0x0
        Process Name:		-

    Network Information:
        Workstation Name:	SCCM
        Source Network Address:	10.10.0.188 <--- Attacker
        Source Port:		58292

    Detailed Authentication Information:
        Logon Process:		NtLmSsp 
        Authentication Package:	NTLM
        Transited Services:	-
        Package Name (NTLM only):	NTLM V2
        Key Length:		128

Linked Defensive IDs

Associated Offensive IDs

References