Microsoft Deployment Toolkit (MDT) shares, an often-overlooked infrastructure component, can be a goldmine of credentials for attackers.
A new report published by TrustedSec highlights how red teams can easily extract domain administrator credentials from misconfigured MDT deployments, potentially leading to complete network compromise.
While security professionals have long focused on System Center Configuration Manager (SCCM) as a target, MDT often flies under the radar despite presenting similar security risks, sometimes with even less effort to exploit.
.png
)
“MDT can be a quick ticket to find domain credentials, ” security researcher Oddvar Moe writes in the TrustedSec report. “Just imagine if the adjoin account has been used to join all the servers to the domain. That means ownership of the AD accounts”.
Microsoft Deployment Toolkit is widely used in enterprise environments to deploy operating systems without the complexity of a complete SCCM infrastructure. The toolkit stores configuration files often containing plaintext credentials, including accounts with domain privileges.
According to the report, the most valuable targets are two specific files within the deployment share: Bootstrap.ini and CustomSettings.ini, typically located in the DeploymentShare\Control directory. These files frequently contain credentials for domain operations, including accounts used to join computers to domains.
Particularly concerning are several credential types stored in these files, including:
- DomainAdmin: Used to join computers to the domain
- UserID: Used to access network resources
- AdminPassword: For local administrator accounts
- DBPwd: Used to connect to SQL servers during deployment
The research also reveals additional locations where credentials may be exposed, including within task sequence files (ts.xml), unattend.xml files, and custom scripts scattered throughout the deployment share.
Most alarming is the prevalence of misconfigured deployment shares. “In most cases when I encounter MDT on engagements, I rarely see this correctly configured. More often than not, the deployment share is shared to all users, meaning that any AD account can open the MDT deployment share on the server and browse its content,” notes Moe.
The Five Steps to Mitigate Credential Exposure guide, published last week by the Cloud Security Alliance, emphasizes that “over 60% of breaches involve compromised credentials,” making proper credential management critical.
Security experts recommend several measures to protect MDT deployments:
- Restrict access to deployment shares with proper permissions.
- Implement the principle of least privilege for service accounts.
- Regularly audit credentials stored in configuration files.
- Use dedicated accounts with limited permissions for deployment tasks.
For red teamers, this research demonstrates yet another avenue for credential harvesting during security assessments. For defenders, it serves as a crucial reminder that deployment infrastructure requires the same security scrutiny as other critical systems.
“This could be a critical hit if that is the case,” concludes Moe, referring to scenarios where MDT service accounts have excessive privileges.
As organizations strengthen their security postures against sophisticated threats, addressing these often-overlooked credential exposures in deployment infrastructure must become a priority.
Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free
