Introducing BloodHound Scentry: Accelerate your APM practice. Learn More

Garrett Foster

See the latest by Garrett Foster

Task Failed Successfully – Microsoft’s “Immediate” Retirement of MDT

Research & Tradecraft

Task Failed Successfully – Microsoft’s “Immediate” Retirement of MDT

TL;DR – After reporting vulnerabilities found in MDT, Microsoft chose to retire the service rather than fix the issues. As…

By: Garrett Foster

12 mins
SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)

Research & Tradecraft

SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)

TL:DR SCOM suffers from similar insecure default configurations as its SCCM counterpart, enabling attackers to escalate privileges, harvest credentials, and…

By: Garrett Foster

21 mins
SCCM Hierarchy Takeover via Entra Integration…Because of the Implication

Research & Tradecraft

SCCM Hierarchy Takeover via Entra Integration…Because of the Implication

TL;DR SCCM sites (prior to KB35360093) integrated with Entra ID can be abused to compromise the entire hierarchy. Introduction Despite…

By: Garrett Foster

17 mins
WriteAccountRestrictions (WAR) – What is it good for?

Research & Tradecraft

WriteAccountRestrictions (WAR) – What is it good for?

TL;DR A lot of things. The User-Account-Restrictions property grants read/write permissions to the user-account-control LDAP attribute, which can be used…

By: Garrett Foster

20 mins
HKLM\SYSTEM\Setup\sMarTdEpLoY –  The (Static) Keys to Abusing PDQ SmartDeploy

Research & Tradecraft

HKLM\SYSTEM\Setup\sMarTdEpLoY –  The (Static) Keys to Abusing PDQ SmartDeploy

TL;DR: Prior to version 3.0.2046, PDQ SmartDeploy used static, hardcoded, and universal encryption keys for secure credential storage. Low-privileged users…

By: Garrett Foster

10 mins
I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays

Research & Tradecraft

I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays

TL;DR Network Access Account, Task Sequence, and Collection Settings policies can be recovered from SCCM by relaying a remote management…

By: Garrett Foster

24 mins
Misconfiguration Manager: Still Overlooked, Still Overprivileged

Research & Tradecraft

Misconfiguration Manager: Still Overlooked, Still Overprivileged

TL;DR It has been one year since Misconfiguration Manager’s release and the security community has been hard at work researching…

By: Duane Michael, Garrett Foster

8 mins
Decrypting the Forest From the Trees

Research & Tradecraft

Decrypting the Forest From the Trees

TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is…

By: Garrett Foster

10 mins
SCCM Hierarchy Takeover with High Availability

Research & Tradecraft

SCCM Hierarchy Takeover with High Availability

TL;DR: SCCM sites configured to support high availability can be abused to compromise the entire hierarchy I previously wrote about…

By: Garrett Foster

15 mins
Page 1 / 2