Update README.md

theomilan3 · Aug 19, 2022 · f1260e3 · f1260e3
1 parent b8743d1
commit f1260e3
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # PXEThief
 
-PXEThief is a set of tooling that implements attack paths discussed at the DEF CON 30 talk _Pulling Passwords out of Configuration Manager_ (https://forum.defcon.org/node/241925) against the Operating System Deployment functionality in Microsoft Endpoint Configuration Manager (or ConfigMgr, still commonly known as SCCM). It allows for credential gathering from configured Network Access Accounts ([https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/accounts#network-access-account](https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/accounts#network-access-account)) and any Task Sequence Accounts or credentials stored within ConfigMgr Collection Variables that have been configured for the "All Unknown Computers" collection. These Active Directory accounts are commonly over permissioned and allow for privilege escalation to administrative access somewhere in the domain. 
+PXEThief is a set of tooling that implements attack paths discussed at the DEF CON 30 talk _Pulling Passwords out of Configuration Manager_ (https://forum.defcon.org/node/241925) against the Operating System Deployment functionality in Microsoft Endpoint Configuration Manager (or ConfigMgr, still commonly known as SCCM). It allows for credential gathering from configured Network Access Accounts ([https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/accounts#network-access-account](https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/accounts#network-access-account)) and any Task Sequence Accounts or credentials stored within ConfigMgr Collection Variables that have been configured for the "All Unknown Computers" collection. These Active Directory accounts are commonly over permissioned and allow for privilege escalation to administrative access somewhere in the domain, at least in my personal experience. 
 
 Likely, the most serious attack that can be executed with this tooling would involve PXE-initiated deployment being supported for "All unknown computers" on a distribution point without a password, or with a weak password. The overpermissioning of ConfigMgr accounts exposed to OSD mentioned earlier can then allow for a full Active Directory attack chain to be executed with only network access to the target environment.