Red Team Gold: Extracting Credentials from MDT Shares

This report explains how misconfigured Microsoft Deployment Toolkit (MDT) deployments frequently expose credentials and sensitive configuration—stored in files like bootstrap.ini, CustomSettings.ini, ts.xml, unattend.xml, and custom scripts or images—allowing attackers or red teams to retrieve DomainAdmin/UserID credentials, perform domain joins, and potentially escalate to domain-wide compromise.