Coercing NTLM Authentication from SCCM

tl;dr: Disable NTLM for Client Push Installation

When SCCM automatic site assignment and automatic client push installation are enabled, and PKI certificates aren’t required for client authentication, it’s possible to coerce NTLM authentication from the management point’s installation and machine accounts to an arbitrary NetBIOS name, FQDN, or IP address, allowing the credentials to be relayed or cracked. This can be done using a low-privileged account on any Windows SCCM client.

Client push installation accounts require local admin privileges to …

application security authentication ntlm penetration testing pentesting red team sccm social engineering