| TAKEOVER‑1 |
Hierarchy takeover via NTLM coercion and relay to MSSQL on remote site database |
| TAKEOVER‑1.1: Coerce primary site server |
|
| TAKEOVER‑1.2: Coerce SMS Provider |
|
| TAKEOVER‑1.3: Coerce passive site server |
|
| TAKEOVER‑2 |
Hierarchy takeover via NTLM coercion and relay to SMB on remote site database |
| TAKEOVER‑2.1: Coerce primary site server |
|
| TAKEOVER‑2.2: Coerce passive site server |
|
| TAKEOVER‑3 |
Hierarchy takeover via NTLM coercion and relay to HTTP on ADCS |
| TAKEOVER‑3.1: Coerce primary site server |
|
| TAKEOVER‑3.2: Coerce SMS Provider |
|
| TAKEOVER‑3.3: Coerce passive site server |
|
| TAKEOVER‑3.4: Coerce site database server |
|
| TAKEOVER‑4 |
Hierarchy takeover via NTLM coercion and relay from CAS to origin primary site server |
| TAKEOVER‑4.1: Relay to SMB |
|
| TAKEOVER‑4.2: Relay to AdminService |
|
| TAKEOVER‑5 |
Hierarchy takeover via NTLM coercion and relay to AdminService on remote SMS Provider |
| TAKEOVER‑5.1: Coerce primary site server |
|
| TAKEOVER‑5.2: Coerce passive site server |
|
| TAKEOVER‑6 |
Hierarchy takeover via NTLM coercion and relay to SMB on remote SMS Provider |
| TAKEOVER‑6.1: Coerce primary site server |
|
| TAKEOVER‑6.2: Coerce passive site server |
|
| TAKEOVER‑7 |
Hierarchy takeover via NTLM coercion and relay to SMB between primary and passive site servers |
| TAKEOVER‑7.1: Coerce primary site server |
|
| TAKEOVER‑7.2: Coerce passive site server |
|
| TAKEOVER‑8 |
Hierarchy takeover via NTLM coercion and relay HTTP to LDAP on domain controller |
| TAKEOVER‑8.1: Coerce primary site server |
|
| TAKEOVER‑8.2: Coerce SMS Provider |
|
| TAKEOVER‑8.3: Coerce passive site server |
|
| TAKEOVER‑8.4: Coerce site database server |
|
| TAKEOVER‑9 |
Hierarchy takeover via crawling site database links configured with DBA privileges |