NetSPI Blog

Karl Fosaaen
September 12th, 2019

Maintaining Azure Persistence via Automation Accounts

In every penetration test that involves Azure, we want to escalate our privileges up to a global administrator of the tenant. Once we’ve escalated our privileges in an Azure tenant, we want to have the ability to maintain our access to each subscription and the tenant as a whole. Aside from the benefits of controlling […]

Kevin Robertson
August 29th, 2019

MachineAccountQuota Transitive Quota: 110 Accounts and Beyond

Background If you aren’t familiar with MachineAccountQuota (MAQ), I recommend skimming my previous blog post on the subject. TLDR Active Directory (AD) tracks transitive accounts created through MAQ to limit the number of accounts that can be added from a single unprivileged source account. AD calculates the maximum using a formula of Q * (Q […]

Josh Weber
July 9th, 2019

Collecting Contacts from

For our client engagements, we are constantly searching for new methods of open source intelligence (OSINT) gathering. This post will specifically focus on targeting client contact collection from a site we have found to be very useful ( and will describe some of the hurdles we needed to overcome to write automation around site scraping. […]

Karl Fosaaen
March 20th, 2019

Using Azure Automation Accounts to Access Key Vaults

This is the second post in a series of blogs that focuses around Azure Automation. Check out “Exporting Azure RunAs Certificates for Persistence” for more info on how authentication works for Automation Accounts. In this installment, we’re going to focus on making use of Automation Accounts to gain access to sensitive data stored in Key […]

Kevin Robertson
March 6th, 2019

MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory’s Oddest Settings

MachineAccountQuota (MAQ) is a domain level attribute that by default permits unprivileged users to attach up to 10 computers to an Active Directory (AD) domain. My first run-in with MAQ was way back in my days as a network administrator on a new job. I was assigned the task of joining a remote location’s systems […]

Karl Fosaaen
February 27th, 2019

Get-AzurePasswords: Exporting Azure RunAs Certificates for Persistence

This post will be the first blog in a series that focuses around Azure Automation. I’ve recently run into a fair number of clients making use of Azure Automation Runbooks, and in many cases, the runbooks are being misconfigured. As attackers, these misconfigurations can provide us credentials, sensitive data, and some interesting points for escalation. […]

Kevin Robertson
December 5th, 2018

ADIDNS Revisited – WPAD, GQBL, and More

A few months ago, I wrote a blog post on exploiting Active Directory-Integrated DNS (ADIDNS). This post will mainly cover some additional techniques on both the offensive and defensive fronts. I would suggest at least skimming the original post before continuing here. With that out of the way, I’d like to start by adding in […]

Lars Sorenson
November 27th, 2018

Escape NodeJS Sandboxes

In this blog post, we’re going to explore how to escape NodeJS sandboxes by understanding the internals of the interpreter. NodeJS is a JavaScript runtime built on Chrome’s V8 JavaScript engine, allowing developers to use the same programming language, and possibly codebase, for the frontend and backend of an application. Initially released in 2009, NodeJS now […]

Karl Fosaaen
November 6th, 2018

Running PowerShell on Azure VMs at Scale

Let’s assume that you’re on a penetration test, where the Azure infrastructure is in scope (as it should be), and you have access to a domain account that happens to have “Contributor” rights on an Azure subscription. Contributor rights are typically harder to get, but we do see them frequently given out to developers, and […]