Kevin Mandia, Founder of Mandiant, to Deliver Featured Keynote at SO-CON 2026. Learn More
blog category

Research & Tradecraft

image for Ghostwriter v6.1 — Playing Fetch with BloodHound

Research & Tradecraft

Ghostwriter v6.1 — Playing Fetch with BloodHound

Ghostwriter v6.1 introduces a full-featured BloodHound integration that lets you import BloodHound data and findings directly within your projects, alongside new collaborative project notes, upgraded caption editor objects,...

By: Christopher Maddalena
Dec 5, 2025 • 6 min read
Read Post
image for One WSL BOF to Rule Them All

Research & Tradecraft

One WSL BOF to Rule Them All

TL;DR – Windows Subsystem for Linux (WSL) is a powerful way for attackers to hide from...

By: Daniel Mayer
Jan 16, 2026 • 14 min read
Read Post
image for MSSQL and SCCM Elevation of Privilege Vulnerabilities

Research & Tradecraft

MSSQL and SCCM Elevation of Privilege Vulnerabilities

TL;DR: I found two privilege escalation vulnerabilities, one in MSSQL (CVE-2025-49758) and one in Microsoft Configuration...

By: Chris Thompson
Jan 15, 2026 • 16 min read
Read Post
image for Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP

Research & Tradecraft

Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP

TL;DR – During automatic client push installation, an SCCM site server automatically attempts to map WebDav...

By: Logan Goins
Jan 14, 2026 • 15 min read
Read Post
image for Introducing ConfigManBearPig, a BloodHound OpenGraph Collector for SCCM

Research & Tradecraft

Introducing ConfigManBearPig, a BloodHound OpenGraph Collector for SCCM

tl;dr: Security researchers have discovered 30+ unique attack techniques targeting SCCM in the past several years,...

By: Chris Thompson
Jan 13, 2026 • 45 min read
Read Post
image for Azure Seamless SSO: When Cookie Theft Doesn’t Cut It

Research & Tradecraft

Azure Seamless SSO: When Cookie Theft Doesn’t Cut It

TL;DR The cookie crumbled when it expired, but the attack path didn’t. Learn how BloodHound graph...

By: Andrew Gomez
Dec 11, 2025 • 17 min read
Read Post
image for SCOMmand And Conquer – Attacking System Center Operations Manager (Part 2)

Research & Tradecraft

SCOMmand And Conquer – Attacking System Center Operations Manager (Part 2)

TL;DR: We found that SCOM RunAs credentials could be obtained on-host and also off-host in certain...

By: Matt Johnson
Dec 10, 2025 • 49 min read
Read Post
image for SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)

Research & Tradecraft

SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)

TL:DR SCOM suffers from similar insecure default configurations as its SCCM counterpart, enabling attackers to escalate...

By: Garrett Foster
Dec 10, 2025 • 21 min read
Read Post
image for Git SCOMmit – Putting the Ops in OpsMgr

Research & Tradecraft

Git SCOMmit – Putting the Ops in OpsMgr

TL;DR Yet another System Center Ludus configuration for your collection. https://github.com/Synzack/ludus_scom Intro As you may know,...

By: Zach Stein
Dec 9, 2025 • 14 min read
Read Post
image for Ghostwriter v6.1 — Playing Fetch with BloodHound

Research & Tradecraft

Ghostwriter v6.1 — Playing Fetch with BloodHound

Ghostwriter v6.1 introduces a full-featured BloodHound integration that lets you import BloodHound data and findings directly...

By: Christopher Maddalena
Dec 5, 2025 • 6 min read
Read Post