👻 The Phantom Credentials of SCCM
If an Active Directory account has ever been configured as an NAA, the credentials may persist on former clients. Not only can we query the credential blobs from WMI, we can also retrieve previously used account blobs from the CIM repository, even if the computer is no longer a client.
https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9
#ad #credentials #sccm #nna #wmi
If an Active Directory account has ever been configured as an NAA, the credentials may persist on former clients. Not only can we query the credential blobs from WMI, we can also retrieve previously used account blobs from the CIM repository, even if the computer is no longer a client.
https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9
#ad #credentials #sccm #nna #wmi
SpecterOps
The Phantom Credentials of SCCM: Why the NAA Won’t Die - SpecterOps
Explore the risks lurking within SCCM's Network Access Accounts, why transitioning to Enhanced HTTP isn't enough, and why disabling NAAs from AD is crucial.
🔥3❤1❤🔥1