Introducing BloodHound Scentry: Accelerate your APM practice. Learn More

Garrett Foster

Senior Security Researcher

Garrett is a Senior Security Researcher at SpecterOps specializing in Windows tradecraft and attack path development. His research focuses on Active Directory security and enterprise management infrastructure.

See the latest by Garrett Foster

Task Failed Successfully – Microsoft’s “Immediate” Retirement of MDT

Research & Tradecraft

Task Failed Successfully – Microsoft’s “Immediate” Retirement of MDT

TL;DR – After reporting vulnerabilities found in MDT, Microsoft chose to retire the service rather than fix the issues. As…

By: Garrett Foster

12 mins
SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)

Research & Tradecraft

SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)

TL:DR SCOM suffers from similar insecure default configurations as its SCCM counterpart, enabling attackers to escalate privileges, harvest credentials, and…

By: Garrett Foster

21 mins
SCCM Hierarchy Takeover via Entra Integration…Because of the Implication

Research & Tradecraft

SCCM Hierarchy Takeover via Entra Integration…Because of the Implication

TL;DR SCCM sites (prior to KB35360093) integrated with Entra ID can be abused to compromise the entire hierarchy. Introduction Despite…

By: Garrett Foster

17 mins
WriteAccountRestrictions (WAR) – What is it good for?

Research & Tradecraft

WriteAccountRestrictions (WAR) – What is it good for?

TL;DR A lot of things. The User-Account-Restrictions property grants read/write permissions to the user-account-control LDAP attribute, which can be used…

By: Garrett Foster

20 mins
HKLM\SYSTEM\Setup\sMarTdEpLoY –  The (Static) Keys to Abusing PDQ SmartDeploy

Research & Tradecraft

HKLM\SYSTEM\Setup\sMarTdEpLoY –  The (Static) Keys to Abusing PDQ SmartDeploy

TL;DR: Prior to version 3.0.2046, PDQ SmartDeploy used static, hardcoded, and universal encryption keys for secure credential storage. Low-privileged users…

By: Garrett Foster

10 mins
I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays

Research & Tradecraft

I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays

TL;DR Network Access Account, Task Sequence, and Collection Settings policies can be recovered from SCCM by relaying a remote management…

By: Garrett Foster

24 mins
Misconfiguration Manager: Still Overlooked, Still Overprivileged

Research & Tradecraft

Misconfiguration Manager: Still Overlooked, Still Overprivileged

TL;DR It has been one year since Misconfiguration Manager’s release and the security community has been hard at work researching…

By: Duane Michael, Garrett Foster

8 mins
Decrypting the Forest From the Trees

Research & Tradecraft

Decrypting the Forest From the Trees

TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is…

By: Garrett Foster

10 mins
SCCM Hierarchy Takeover with High Availability

Research & Tradecraft

SCCM Hierarchy Takeover with High Availability

TL;DR: SCCM sites configured to support high availability can be abused to compromise the entire hierarchy I previously wrote about…

By: Garrett Foster

15 mins
Page 1 / 2