NetSPI Blog

Alexander Polce Leary
June 19th, 2018

Tokenvator: A Tool to Elevate Privilege using Windows Tokens

Tokenvator: A Tool to Elevate Privilege using Windows Tokens WheresMyImplant is a mini red team toolkit that I have been developing over the past year in .NET. While developing and using it, I found that I consistently needed to alter my process access token to do such things as SYSTEM permissions or add debug privileges […]

Scott Sutherland
June 12th, 2018

Prioritizing the Remediation of Mitre ATT&CK Framework Gaps

In this blog I’ll share a few tips for prioritizing the remediation of detective control gaps related to the Mitre ATT&CK Framework.

Thomas Elling
May 31st, 2018

Dumping Active Directory Domain Info – with PowerUpSQL!

This blog walks through some new Active Directory recon functions in PowerUpSQL. The PowerUpSQL functions use the OLE DB ADSI provider to query Active Directory for domain users, computers, and other configuration information through SQL Server queries.

Scott Sutherland
May 25th, 2018

Databases and Clouds: SQL Server as a C2

This blog will provide an overview of how to create and maintain access to an environment using SQL Server as the controller and the agent using a new PoC script called SQLC2.

Karl Fosaaen
May 22nd, 2018

Utilizing Azure Services for Red Team Engagements

Everything seems to be moving into the cloud, so why not move your red team infrastructure there too. Well… lots of people have already been doing that (see here), but what about using hosted services from a cloud provider to hide your activities within the safety of the provider’s trusted domains? That’s something that we […]

Scott Sutherland
May 8th, 2018

Attacking Application Specific SQL Server Instances

This blog walks through how to quickly identify SQL Server instances used by 3rd party applications that are configured with default passwords using PowerUpSQL.

Alexander Polce Leary
April 24th, 2018

Executing .NET Methods with RunDotNetDll32

This blog introduces RunDotNetDll32.exe, which is a new tool for reflectively enumerating and executing .NET methods. It’s syntactically very similar to RunDll32.exe.

Thomas Elling
April 17th, 2018

Dumping Active Directory Domain Info – in Go!

I’ve used NetSPI PowerShell tools and the PowerView toolset to dump information from Active Directory during almost every internal penetration test I’ve done. These tools are a great starting point for gaining insight into an Active Directory environment. Go seems to be gaining popularity for its performance and scalability, so I tried to replicate some […]

Jake Reynolds
March 27th, 2018

Please Stop Giving Me Your Passwords – Part 1

I found myself in the office on Saturday night, mainly because the frozen pizza selection is more expansive than mine at home, and I wanted to get a head start on my project for this week. It was a normal Static Application Security Test (SAST), which follows a mostly pre-defined process, with embellishments depending on […]