blog category
Research & Tradecraft
Research & Tradecraft
MSSQL and SCCM Elevation of Privilege Vulnerabilities
TL;DR: I found two privilege escalation vulnerabilities, one in MSSQL (CVE-2025-49758) and one in Microsoft Configuration...
By: Chris Thompson
Jan 15, 2026 • 16 min read
Read Post
Research & Tradecraft
Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP
TL;DR – During automatic client push installation, an SCCM site server automatically attempts to map WebDav...
By: Logan Goins
Jan 14, 2026 • 15 min read
Read Post
Research & Tradecraft
Introducing ConfigManBearPig, a BloodHound OpenGraph Collector for SCCM
tl;dr: Security researchers have discovered 30+ unique attack techniques targeting SCCM in the past several years,...
By: Chris Thompson
Jan 13, 2026 • 45 min read
Read Post
Research & Tradecraft
Azure Seamless SSO: When Cookie Theft Doesn’t Cut It
TL;DR The cookie crumbled when it expired, but the attack path didn’t. Learn how BloodHound graph...
By: Andrew Gomez
Dec 11, 2025 • 17 min read
Read Post
Research & Tradecraft
SCOMmand And Conquer – Attacking System Center Operations Manager (Part 2)
TL;DR: We found that SCOM RunAs credentials could be obtained on-host and also off-host in certain...
By: Matt Johnson
Dec 10, 2025 • 49 min read
Read Post
Research & Tradecraft
SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)
TL:DR SCOM suffers from similar insecure default configurations as its SCCM counterpart, enabling attackers to escalate...
By: Garrett Foster
Dec 10, 2025 • 21 min read
Read Post
Research & Tradecraft
Git SCOMmit – Putting the Ops in OpsMgr
TL;DR Yet another System Center Ludus configuration for your collection. https://github.com/Synzack/ludus_scom Intro As you may know,...
By: Zach Stein
Dec 9, 2025 • 14 min read
Read Post
Research & Tradecraft
Less Praying More Relaying – Enumerating EPA Enforcement for MSSQL and HTTPS
TL;DR – It’s important to know if your NTLM relay will be prevented by integrity protections...