Misconfiguration Manager: Still Overlooked, Still Overprivileged

At Troopers 24, we presented Misconfiguration Manager: Overlooked and Overprivileged, exploring the rampant SCCM misconfigurations that have grown into widely-adopted tradecraft among adversaries and red teams. A year later, the landscape has only grown more interesting - new attack paths have emerged, defenses have evolved (or failed to), and SCCM remains a prime target for privilege escalation, post-exploitation, and domain compromise. In this talk, we’ll explore what’s changed, what’s still broken, and the latest horror stories and tradecraft research shaping SCCM security today.

Microsoft Configuration Manager (SCCM) remains a cornerstone of enterprise IT and a persistent security risk. Since our last talk at Troopers 24, SCCM attack techniques have continued to evolve, with new tradecraft enabling credential access, privilege escalation, and domain compromise. Real adversaries and ransomware gangs target SCCM, while defenders scramble to keep up.

This talk is the next chapter in SCCM security research, showcasing the latest attack paths, new and updated techniques and tooling, and case studies from real-world engagements. We’ll revisit some of last year’s most critical misconfigurations, highlight newly discovered attack primitives, and analyze how organizations have (or haven’t) adapted their defenses. We’ll also share updates to the SCCM Attack & Defense Matrix, providing a structured way to assess and mitigate SCCM-related risks.

For those who joined us last year, this is a deep dive into what’s new and what remains dangerously overlooked. For those encountering this research for the first time, this talk will highlight why SCCM continues to be a valuable target for attackers and the evolving TTPs used to exploit it. Expect fresh research, practical takeaways, and real-world case studies from the past year of SCCM exploitation.