PREVENT-1 - SpecterOps Open Source

Summary

Within SCCM’s client push installation properties, there exists a setting to “Allow connection fallback to NTLM” (Figure 1).

In SCCM versions prior to 2207, there exists a bug such that without this setting enabled, the connection will fallback to NTLM regardless of the setting. Microsoft patched this bug in KB15599094. This patch is applied by default to new site installations of version 2207+. This patch only applies to versions 2103+. If the installed version is older, Microsoft recommends updating to a current version.

Linked Defensive IDs

PREVENT-2: Disable Fallback to NTLM

Associated Offensive IDs

ELEVATE-2: NTLM relay via automatic client push installation
ELEVATE-3: NTLM relay via automatic client push installation and AD System Discovery

References

Microsoft, NTLM client installation update for Microsoft Endpoint Configuration Manager
Jitesh Kumar, SCCM Hotfix KB15599094 NTLM Client Installation Update
Brandon Colley, Push Comes To Shove: Bypassing Kerberos Authentication of SCCM Client Push Accounts

Techniques

Documentation Index

​Summary

​Linked Defensive IDs

​Associated Offensive IDs

​References

Summary

Linked Defensive IDs

Associated Offensive IDs

References