NetSPI Blog

Scott Sutherland

Scott is currently responsible for the development, and execution of network penetration testing at NetSPI. His role includes researching and developing tools, techniques, and methodologies used during network and application penetration tests. Scott has been providing IT security services to medium sized to Fortune 50 companies for over 10 years. As an active participant in the information security community, Scott also contributes technical security blog posts, whitepapers, and presentations on a regular basis through NetSPI. Published presentations can be found here. Scott's most recent project is PowerUpSQL.

Scott Sutherland
November 18th, 2019

Analyzing DNS TXT Records to Fingerprint Online Service Providers

In this blog I’ll share a process/script that can be used to identify online service providers used by a target company through domain validation tokens stored in DNS TXT records.

Scott Sutherland
November 11th, 2019

Exploiting SQL Server Global Temporary Table Race Conditions

This blog will walk through how to find and exploit SQL Server global temporary table race conditions to gain unauthorized access to data and execute code.

Scott Sutherland
June 27th, 2018

Bypassing SQL Server Logon Trigger Restrictions

This shows how to bypass SQL Server logon trigger restrictions by spoofing hostnames and application names using lesser known connection string properties.

Scott Sutherland
June 12th, 2018

Prioritizing the Remediation of Mitre ATT&CK Framework Gaps

In this blog I’ll share a few tips for prioritizing the remediation of detective control gaps related to the Mitre ATT&CK Framework.

Scott Sutherland
May 25th, 2018

Databases and Clouds: SQL Server as a C2

This blog will provide an overview of how to create and maintain access to an environment using SQL Server as the controller and the agent using a new PoC script called SQLC2.

Scott Sutherland
May 8th, 2018

Attacking Application Specific SQL Server Instances

This blog walks through how to quickly identify SQL Server instances used by 3rd party applications that are configured with default passwords using PowerUpSQL.

Scott Sutherland
July 13th, 2017

Attacking SQL Server CLR Assemblies

In this blog, I’ll be expanding on the CLR assembly attacks developed by Lee Christensen and covered in Nathan Kirk’s CLR blog series. I’ll review how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence.  I’ll also share a few new PowerUpSQL […]

Scott Sutherland
May 23rd, 2017

How to get SQL Server Sysadmin Privileges as a Local Admin with PowerUpSQL

In this blog I outline common techniques that can be used to leverage the SQL Server service account to escalate privileges from a local administrator to a SQL Server sysadmin (DBA).

Scott Sutherland
October 11th, 2016

Common Red Team Techniques vs Blue Team Controls Infographic

In this blog, I’ll share an infographic that illustrates some common red team attack workflows and blue team controls. I’ll also include some basic red & blue team tips.