Kevin Mandia, Founder of Mandiant, to Deliver Featured Keynote at SO-CON 2026. Learn More
blog category

Research & Tradecraft

image for Ghostwriter v6.1 — Playing Fetch with BloodHound

Research & Tradecraft

Ghostwriter v6.1 — Playing Fetch with BloodHound

Ghostwriter v6.1 introduces a full-featured BloodHound integration that lets you import BloodHound data and findings directly within your projects, alongside new collaborative project notes, upgraded caption editor objects,...

By: Christopher Maddalena
Dec 5, 2025 • 6 min read
Read Post
image for Hacking Humans: Social Engineering and the Psychology

Research & Tradecraft

Hacking Humans: Social Engineering and the Psychology

TL;DR : Social engineering engagements are the most exciting and heart pumping, “in my opinion”. It...

By: John Wotton
Jan 23, 2026 • 12 min read
Read Post
image for Task Failed Successfully – Microsoft’s “Immediate” Retirement of MDT

Research & Tradecraft

Task Failed Successfully – Microsoft’s “Immediate” Retirement of MDT

TL;DR – After reporting vulnerabilities found in MDT, Microsoft chose to retire the service rather than...

By: Garrett Foster
Jan 21, 2026 • 12 min read
Read Post
image for Updates to the MSSQLHound OpenGraph Collector for BloodHound

Research & Tradecraft

Updates to the MSSQLHound OpenGraph Collector for BloodHound

tl;dr: MSSQLHound, a PowerShell script that collects security information from remote MSSQL Server instances, now scans...

By: Chris Thompson
Jan 20, 2026 • 7 min read
Read Post
image for One WSL BOF to Rule Them All

Research & Tradecraft

One WSL BOF to Rule Them All

TL;DR – Windows Subsystem for Linux (WSL) is a powerful way for attackers to hide from...

By: Daniel Mayer
Jan 16, 2026 • 14 min read
Read Post
image for MSSQL and SCCM Elevation of Privilege Vulnerabilities

Research & Tradecraft

MSSQL and SCCM Elevation of Privilege Vulnerabilities

TL;DR: I found two privilege escalation vulnerabilities, one in MSSQL (CVE-2025-49758) and one in Microsoft Configuration...

By: Chris Thompson
Jan 15, 2026 • 16 min read
Read Post
image for Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP

Research & Tradecraft

Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP

TL;DR – During automatic client push installation, an SCCM site server automatically attempts to map WebDav...

By: Logan Goins
Jan 14, 2026 • 15 min read
Read Post
image for Introducing ConfigManBearPig, a BloodHound OpenGraph Collector for SCCM

Research & Tradecraft

Introducing ConfigManBearPig, a BloodHound OpenGraph Collector for SCCM

tl;dr: Security researchers have discovered 30+ unique attack techniques targeting SCCM in the past several years,...

By: Chris Thompson
Jan 13, 2026 • 45 min read
Read Post
image for Azure Seamless SSO: When Cookie Theft Doesn’t Cut It

Research & Tradecraft

Azure Seamless SSO: When Cookie Theft Doesn’t Cut It

TL;DR The cookie crumbled when it expired, but the attack path didn’t. Learn how BloodHound graph...

By: Andrew Gomez
Dec 11, 2025 • 17 min read
Read Post
image for SCOMmand And Conquer – Attacking System Center Operations Manager (Part 2)

Research & Tradecraft

SCOMmand And Conquer – Attacking System Center Operations Manager (Part 2)

TL;DR: We found that SCOM RunAs credentials could be obtained on-host and also off-host in certain...

By: Matt Johnson
Dec 10, 2025 • 49 min read
Read Post