I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays

This research post demonstrates an SCCM/MECM attack path where an adversary can coerce a Management Point to relay authentication to the site SQL database (via NTLM relay and PetitPotam), call procedures such as MP_GetMachinePolicyAssignments and MP_GetPolicyBody, and recover/decrypt sensitive policies including Network Access Account credentials and Task Sequence variables; the author supplies PoC commands (ntlmrelayx, PetitPotam, mssqlclient.py, PXEthief), implementation analysis, and defensive guidance.