Hunting With Active Directory Replication Metadata

With the recent release of BloodHound’s ACL Attack Path Update as well as the work on Active Directory DACL backdooring by @_wald0 and myself (whitepaper here), I started to investigate ACL-based attack paths from a defensive perspective. Sean Metcalf has done some great work concerning Active Directory threat hunting (see his 2017 BSides Charm “Detecting …

Hunting With Active Directory Replication Metadata Read More »


I’m taking a quick break from our Empire series to bring you something my ATD teammate Matt Nelson and myself have been working on over the last month or so- a project called PowerSCCM. This is the first primarily defensive-oriented post I’ve published, but fear not, more offensive material is in the hopper ;) Using Microsoft’s System Center Configuration Manager (SCCM) for …

PowerSCCM Read More »