Kevin Mandia, Founder of Mandiant, to Deliver Featured Keynote at SO-CON 2026. Learn More
blog category

Research & Tradecraft

image for Ghostwriter v6.1 — Playing Fetch with BloodHound

Research & Tradecraft

Ghostwriter v6.1 — Playing Fetch with BloodHound

Ghostwriter v6.1 introduces a full-featured BloodHound integration that lets you import BloodHound data and findings directly within your projects, alongside new collaborative project notes, upgraded caption editor objects,...

By: Christopher Maddalena
Dec 5, 2025 • 6 min read
Read Post
image for Azure Seamless SSO: When Cookie Theft Doesn’t Cut It

Research & Tradecraft

Azure Seamless SSO: When Cookie Theft Doesn’t Cut It

TL;DR The cookie crumbled when it expired, but the attack path didn’t. Learn how BloodHound graph...

By: Andrew Gomez
Dec 11, 2025 • 17 min read
Read Post
image for SCOMmand And Conquer – Attacking System Center Operations Manager (Part 2)

Research & Tradecraft

SCOMmand And Conquer – Attacking System Center Operations Manager (Part 2)

TL;DR: We found that SCOM RunAs credentials could be obtained on-host and also off-host in certain...

By: Matt Johnson
Dec 10, 2025 • 49 min read
Read Post
image for SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)

Research & Tradecraft

SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)

TL:DR SCOM suffers from similar insecure default configurations as its SCCM counterpart, enabling attackers to escalate...

By: Garrett Foster
Dec 10, 2025 • 21 min read
Read Post
image for Git SCOMmit – Putting the Ops in OpsMgr

Research & Tradecraft

Git SCOMmit – Putting the Ops in OpsMgr

TL;DR Yet another System Center Ludus configuration for your collection. https://github.com/Synzack/ludus_scom Intro As you may know,...

By: Zach Stein
Dec 9, 2025 • 14 min read
Read Post
image for Ghostwriter v6.1 — Playing Fetch with BloodHound

Research & Tradecraft

Ghostwriter v6.1 — Playing Fetch with BloodHound

Ghostwriter v6.1 introduces a full-featured BloodHound integration that lets you import BloodHound data and findings directly...

By: Christopher Maddalena
Dec 5, 2025 • 6 min read
Read Post
image for Less Praying More Relaying – Enumerating EPA Enforcement for MSSQL and HTTPS

Research & Tradecraft

Less Praying More Relaying – Enumerating EPA Enforcement for MSSQL and HTTPS

TL;DR – It’s important to know if your NTLM relay will be prevented by integrity protections...

By: Nick Powers, Matt Creel
Nov 25, 2025 • 16 min read
Read Post
image for An Evening with Claude (Code)

Research & Tradecraft

An Evening with Claude (Code)

TL;DR – A new vulnerability was found one evening in Claude Code (CVE-2025-64755). I’d love to...

By: Adam Chester
Nov 21, 2025 • 17 min read
Read Post
image for SCCM Hierarchy Takeover via Entra Integration…Because of the Implication

Research & Tradecraft

SCCM Hierarchy Takeover via Entra Integration…Because of the Implication

TL;DR SCCM sites (prior to KB35360093) integrated with Entra ID can be abused to compromise the...

By: Garrett Foster
Nov 19, 2025 • 17 min read
Read Post
image for Unpacking the AAD Broker LocalState Cache

Research & Tradecraft

Unpacking the AAD Broker LocalState Cache

TL;DR: This post documents the AAD Broker’s storage format, how to unpack it, and discusses potential...

By: Jack Ullrich
Nov 3, 2025 • 16 min read
Read Post