2025-06-26 –, Track 2 (AD & Entra ID Sec)
At Troopers 24, we presented Misconfiguration Manager: Overlooked and Overprivileged, exploring the rampant SCCM misconfigurations that have grown into widely-adopted tradecraft among adversaries and red teams. A year later, the landscape has only grown more interesting - new attack paths have emerged, defenses have evolved (or failed to), and SCCM remains a prime target for privilege escalation, post-exploitation, and domain compromise. In this talk, we’ll explore what’s changed, what’s still broken, and the latest horror stories and tradecraft research shaping SCCM security today.
Microsoft Configuration Manager (SCCM) remains a cornerstone of enterprise IT and a persistent security risk. Since our last talk at Troopers 24, SCCM attack techniques have continued to evolve, with new tradecraft enabling credential access, privilege escalation, and domain compromise. Real adversaries and ransomware gangs target SCCM, while defenders scramble to keep up.
This talk is the next chapter in SCCM security research, showcasing the latest attack paths, new and updated techniques and tooling, and case studies from real-world engagements. We’ll revisit some of last year’s most critical misconfigurations, highlight newly discovered attack primitives, and analyze how organizations have (or haven’t) adapted their defenses. We'll also share updates to the SCCM Attack & Defense Matrix, providing a structured way to assess and mitigate SCCM-related risks.
For those who joined us last year, this is a deep dive into what’s new and what remains dangerously overlooked. For those encountering this research for the first time, this talk will highlight why SCCM continues to be a valuable target for attackers and the evolving TTPs used to exploit it. Expect fresh research, practical takeaways, and real-world case studies from the past year of SCCM exploitation.
Duane Michael (@subat0mik) is an adversary simulation manager, operator, and researcher at SpecterOps. He has experience operating in many Fortune 100 enterprise environments across various industries. Duane enjoys Windows security research, has presented tooling and research at Black Hat Arsenal, DEF CON, Troopers, and SO-CON, is a contributor to various open source projects, such as SharpSCCM and SharpDPAPI, and is a primary author of Misconfiguration Manager. Duane has instructed courses at Black Hat USA/EU, DEF CON, and SO-CON covering topics such as red team operations, SCCM attacks, and Windows internals.
Garrett Foster (@unsigned_sh0rt) is a senior security researcher, red team operator, instructor, and course architect at SpecterOps. He has conducted and led successful engagements against organizations from the finance, healthcare, and energy sectors. Garrett enjoys active directory security and endpoint management research and offensive tool development. Garrett has previously presented at Blackhat USA and DEFCON and is a co-author of the Misconfiguration Manager project and is the primary developer of SCCMHunter.