MSSQL linked servers: abusing ADSI for password retrieval
Introduction When we talk about Microsoft SQL Server linked servers, we usually think of links to another SQL Server ins[...]
BlackArrow's Blog
Red team & Threat hunting Blog - offensive security
One shell to HANDLE them all
Introduction During a Red Teaming engagement, the exploitation of vulnerabilities in web apps usually offers a good ch[...]
AD CS: from ManageCA to RCE
Introduction In our previous article, we covered an engagement where it was necessary to execute the ESC7 attack to esca[...]
AD CS: weaponizing the ESC7 attack
Introduction to AD CS ESC7 Last year, SpecterOps published an in-depth research about the security state in Active Dir[...]
Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic
Introduction During a recent Red Team operation got local admin privileges on a workstation where an EDR solution was id[...]
From N-day exploit to Kerberos EoP in Linux environments
Introduction In one of its operations, the Red Teaming achieved command execution in a perimeter web page as a non-privi[...]
Hindering Threat Hunting, a tale of evasion in a restricted environment
It is both common and important for the development of a Red Teaming service to obtain information about the technologie[...]
Attackers Abuse MobileIron’s RCE to deliver Kaiten
In September this year the security researcher Orange Tsai published various vulnerabilities and P0Cs related to the Mob[...]
Analyzing an RFID scanner: bad habits never die
More than a year ago, BlackArrow’s Red Teamers conducted a security analysis of an RFID scanner used by one of its[...]