Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP

This research demonstrates a novel SCCM client-push abuse where the site server's use of WNetAddConnection2 to map WebDAV shares can start the WebClient service and coerce HTTP NTLM authentication; an attacker who can register a rogue SCCM client and meets certain conditions (WebDav Redirector installed on site server, automatic client push enabled, NTLM fallback and lack of LDAP signing/channel binding) can relay that authentication to LDAP to achieve SCCM hierarchy takeover or full Active Directory compromise, with mitigation recommendations including enabling LDAP signing/channel binding, disabling NTLM fallback, and not installing WebDav Redirector on site servers.