PREVENT-2

​

Summary

Within SCCM’s client push installation properties, there exists a setting to “Allow connection fallback to NTLM.” This setting allows the site server to fallback to NTLM if Kerberos fails (Figure 1). Adversaries commonly abuse NTLM authentication by coercing computers to authenticate to an attacker-controlled machine then either capturing or relaying the authentication to another resource. Disabling this setting prevents the use of NTLM authentication and coercion. NOTE: This technique must be used in conjunction with PREVENT-1.

​

Linked Defensive IDs

• PREVENT-1: Patch site server with KB15599094
• PREVENT-5: Disable automatic side-wide client push installation

​

Associated Offensive IDs

• ELEVATE-2: NTLM relay via automatic client push installation
• ELEVATE-3: NTLM relay via automatic client push installation and AD System Discovery

​

References

• Chris Thompson, Coercing NTLM Authentication from SCCM