SCCM Hierarchy takeover
Theory
As indicated by Chris Thompson in his article SCCM Hierarchy Takeover, by default, when a new user is promoted to any SCCM administrative role on a primary site server (for example, Full Administrator), the role is automatically propagated to the other SCCM site in the hierarchy by the CAS.
This means that there is no security boundary between SCCM sites in the same hierarchy, and taking over one SCCM site implies the ability to take over all the others.
For additional attack techniques and defense strategies related to SCCM hierarchy takeover, refer to the following techniques from the Misconfiguration-Manager repository:
Practice
Automatic propagation
There is nothing to do. Just promote a user to any SCCM administrative role on a primary site server (for example, Full Administrator), and the role will be automatically propagated to the other SCCM site in the hierarchy by the CAS.
TAKEOVER-5: NTLM coercion and relay to AdminService
This technique only works on Configuration Manager versions prior to 2509. Version 2509 and later reject NTLM authentication at the AdminService. For more details, see Microsoft's update notes.
This technique allows an attacker to take over the SCCM hierarchy by relaying coerced NTLM authentication from site servers to remote SMS Providers via the AdminService API. The SMS Provider's AdminService REST API uses Microsoft Negotiate for authentication and, in default configurations prior to version 2509, was vulnerable to NTLM relay attacks.
For detailed requirements, defensive strategies, and practical implementation steps, refer to the Relay to the HTTP API AdminService section in the site takeover article, TAKEOVER-5, and the article "Site Takeover via SCCM's AdminService API" by Garrett Foster.
Resources
https://posts.specterops.io/sccm-hierarchy-takeover-41929c61e087