all InfoSec news
Site Takeover via SCCM’s AdminService API
Malware Analysis, News and Indicators - Latest topics malware.news
tl:dr: The SCCM AdminService API is vulnerable to NTLM relaying and can be abused for SCCM site takeover.
Prior Work and Credit
Before I get started, I’d like to acknowledge some of the work previously done that inspired researching SCCM.
Chris Thompson previously covered multiple issues involving SCCM, including a site takeover primitive via MSSQL, and is the primary developer of the SharpSCCM project. Duane Michael wrote about recovering Network Access Account (NAA) credentials from DPAPI on SCCM clients. …
api article database garrett link posts sccm server specterops takeover team topic