Kevin Mandia, Founder of Mandiant, to Deliver Featured Keynote at SO-CON 2026. Learn More
< Back to Blog
Default Author Image

Garrett Foster

See the latest by Garrett Foster

Image for post titled Task Failed Successfully – Microsoft’s “Immediate” Retirement of MDT

Task Failed Successfully – Microsoft’s “Immediate” Retirement of MDT

TL;DR – After reporting vulnerabilities found in MDT, Microsoft chose to retire the service rather than...

By: Garrett Foster
Jan 21, 2026 • 12 min read
Read Post
Image for post titled SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)

SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)

TL:DR SCOM suffers from similar insecure default configurations as its SCCM counterpart, enabling attackers to escalate...

By: Garrett Foster
Dec 10, 2025 • 21 min read
Read Post
Image for post titled SCCM Hierarchy Takeover via Entra Integration…Because of the Implication

SCCM Hierarchy Takeover via Entra Integration…Because of the Implication

TL;DR SCCM sites (prior to KB35360093) integrated with Entra ID can be abused to compromise the...

By: Garrett Foster
Nov 19, 2025 • 17 min read
Read Post
Image for post titled WriteAccountRestrictions (WAR) – What is it good for?

WriteAccountRestrictions (WAR) – What is it good for?

TL;DR A lot of things. The User-Account-Restrictions property grants read/write permissions to the user-account-control LDAP attribute,...

By: Garrett Foster
Oct 1, 2025 • 20 min read
Read Post
Image for post titled HKLM\SYSTEM\Setup\sMarTdEpLoY –  The (Static) Keys to Abusing PDQ SmartDeploy

HKLM\SYSTEM\Setup\sMarTdEpLoY –  The (Static) Keys to Abusing PDQ SmartDeploy

TL;DR: Prior to version 3.0.2046, PDQ SmartDeploy used static, hardcoded, and universal encryption keys for secure...

By: Garrett Foster
Aug 12, 2025 • 10 min read
Read Post
Image for post titled I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays

I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays

TL;DR Network Access Account, Task Sequence, and Collection Settings policies can be recovered from SCCM by...

By: Garrett Foster
Jul 15, 2025 • 24 min read
Read Post
Image for post titled Misconfiguration Manager: Still Overlooked, Still Overprivileged

Misconfiguration Manager: Still Overlooked, Still Overprivileged

TL;DR It has been one year since Misconfiguration Manager’s release and the security community has been...

By: Duane Michael, Garrett Foster
Jun 26, 2025 • 8 min read
Read Post
Image for post titled Decrypting the Forest From the Trees

Decrypting the Forest From the Trees

TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If...

By: Garrett Foster
Mar 6, 2025 • 10 min read
Read Post
Image for post titled SCCM Hierarchy Takeover with High Availability

SCCM Hierarchy Takeover with High Availability

TL;DR: SCCM sites configured to support high availability can be abused to compromise the entire hierarchy...

By: Garrett Foster
Feb 21, 2024 • 15 min read
Read Post