Monitor site server domain computer accounts authenticating from another source
An attacker may use coercion methods to force the the SCCM site server's domain computer account to authenticate to an attacker-controlled machine and relay that authentication to another target. This elevation method enables privilege escalation and lateral movement if the attacker targets any other SCCM site system, as the site server requires local administrator privileges on other site systems.
A defender can compare the Account Name field of Event ID: 4624 to that of the Source_Host field, or the static IP address of the site server to the Source Network Address field. If the site server's domain computer account generates a successful logon event from a source that is not that site server, an NTLM relay attack may have taken place.
The example below displays a successful logon event for the SCCM site server from a host that is not the site server.
Source_Host: server2.sccmlab.local
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-549653051-3181377268-3861266315-1105
Account Name: SCCM$
Account Domain: SCCMLAB
Logon ID: 0x36E669
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: SCCM
Source Network Address: 10.10.0.188 <--- Attacker
Source Port: 58292
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
- DETECT-3: Monitor client push installation accounts authenticating from anywhere other than the primary site server
- PREVENT-5: Disable automatic side-wide client push installation
- ELEVATE-1: NTLM relay site server to SMB on site systems
- ELEVATE-2: NTLM relay via automatic client push installation
- ELEVATE-3: NTLM relay via automatic client push installation and AD System Discovery
- TAKEOVER-1: NTLM coercion and relay to MSSQL on remote site database
- TAKEOVER-2: NTLM coercion and relay to SMB on remote site database
- TAKEOVER-3: NTLM coercion and relay to HTTP on AD CS
- TAKEOVER-4: NTLM coercion and relay from CAS to origin primary site server
- TAKEOVER-5: NTLM coercion and relay to AdminService on remote SMS Provider
- TAKEOVER-6: NTLM coercion and relay to SMB on remote SMS Provider
- TAKEOVER-7: NTLM coercion and relay to SMB between primary and passive site servers
- TAKEOVER-8: NTLM coercion and relay HTTP to LDAP on domain controller
- Chris Thompson, SCCM Hierarchy Takeover
- Josh Prager and Nico Shyne, Domain Persistence: Detection Triage and Recovery
- Daniel Petri, How to Defend Against an NTLM Relay Attack
- Fox-IT, Relaying credentials everywhere with ntlmrelayx