Introducing BloodHound Scentry: Accelerate your APM practice. Learn More
blog category

Research & Tradecraft

Search results for: sccm
Found 38 result(s)

image for SCCM Hierarchy Takeover via Entra Integration…Because of the Implication

Research & Tradecraft

SCCM Hierarchy Takeover via Entra Integration…Because of the Implication

TL;DR SCCM sites (prior to KB35360093) integrated with Entra ID can be abused to compromise the...

By: Garrett Foster
Nov 19, 2025 • 17 min read
Read Post
image for NAA or BroCI…? Let Me Explain

Research & Tradecraft

NAA or BroCI…? Let Me Explain

TL;DR This writeup is a summary of knowledge and resources for nested application authentication (NAA) and...

By: Hope Walker
Oct 15, 2025 • 12 min read
Read Post
image for WriteAccountRestrictions (WAR) – What is it good for?

Research & Tradecraft

WriteAccountRestrictions (WAR) – What is it good for?

TL;DR A lot of things. The User-Account-Restrictions property grants read/write permissions to the user-account-control LDAP attribute,...

By: Garrett Foster
Oct 1, 2025 • 20 min read
Read Post
image for Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication

Research & Tradecraft

Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication

TL;DR: Microsoft uses nested app authentication (NAA) for many applications. Access and refresh tokens for select...

By: Hope Walker
Aug 13, 2025 • 19 min read
Read Post
image for HKLM\SYSTEM\Setup\sMarTdEpLoY –  The (Static) Keys to Abusing PDQ SmartDeploy

Research & Tradecraft

HKLM\SYSTEM\Setup\sMarTdEpLoY –  The (Static) Keys to Abusing PDQ SmartDeploy

TL;DR: Prior to version 3.0.2046, PDQ SmartDeploy used static, hardcoded, and universal encryption keys for secure...

By: Garrett Foster
Aug 12, 2025 • 10 min read
Read Post
image for Entra Connect Attacker Tradecraft: Part 3

Research & Tradecraft

Entra Connect Attacker Tradecraft: Part 3

TL;DR Attackers can exploit Entra Connect sync accounts to hijack device userCertificate properties, enabling device impersonation...

By: Daniel Heinsen
Jul 30, 2025 • 16 min read
Read Post
image for I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays

Research & Tradecraft

I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays

TL;DR Network Access Account, Task Sequence, and Collection Settings policies can be recovered from SCCM by...

By: Garrett Foster
Jul 15, 2025 • 24 min read
Read Post
image for Misconfiguration Manager: Still Overlooked, Still Overprivileged

Research & Tradecraft

Misconfiguration Manager: Still Overlooked, Still Overprivileged

TL;DR It has been one year since Misconfiguration Manager’s release and the security community has been...

By: Duane Michael, Garrett Foster
Jun 26, 2025 • 8 min read
Read Post
image for The Renaissance of NTLM Relay Attacks: Everything You Need to Know

Research & Tradecraft

The Renaissance of NTLM Relay Attacks: Everything You Need to Know

NTLM relay attacks have been around for a long time. While many security practitioners think NTLM...

By: Elad Shamir
Apr 8, 2025 • 40 min read
Read Post