TL;DR
Most classic impersonation techniques are well-known and flagged by EDR. The SCCM SMS Agent Host (ccmexec.exe) impersonates users by design, launching trusted binaries in their sessions. By modifying specific SCCM binaries, this enables code execution under user context without custom APIs or alerts.
Discovery
While testing common impersonation methods, most were immediately flagged by EDR. I started exploring alternatives - specifically looking for trusted processes that execute in user context, either on a schedule or via triggers.
After some digging, I found:
ccmexec.exe runs as SYSTEM. After a service restart or every 20–30 minutes (I’ve seen that in some prod environments), it executes C:\Windows\CCM\SCNotification.exe and C:\Windows\CCM\UpdateTrustedSites.exe in the context of each user with an active RDP session.
Unlike typical system binaries requiring TrustedInstaller permissions, files in C:\Windows\CCM\ can be modified by any local admin. This means it’s possible to swap these executables with custom payloads, achieving silent code execution in user sessions without triggering EDR. So, having admin privileges on the host, it can be just modified using SMB without leaving too many traces or artifacts.
Exploitation
After replacing the original UpdateTrustedSites.exe with a minimal executable that creates a file named after the current user’s username, the service was restarted. 4 separate files were then generated - one per user session - confirming successful hijack and execution in each user context: 
Potentially it can be also used to request/save Kerberos tickets on behalf of users, execute SMB requests to get NTLM hashes, etc.