Scott Sutherland

2.1K posts

Scott Sutherland banner
Scott Sutherland

Scott Sutherland

@_nullbind

Security Researcher @NetSPI | PowerUpSQL Author

Minneapolis Katılım Temmuz 2010
326 Takip Edilen3.4K Takipçiler
Scott Sutherland retweetledi
SpecterOps
SpecterOps@SpecterOps·
New MSSQLHound updates from @_Mayyhem 🔥 Now includes EPA-based NTLM relay scanning, CVE-2025-49758 patch detection, and BloodHound Cypher queries to map + remediate MSSQL attack paths. Check it out! ghst.ly/4pKTgVI
English
1
31
83
8.2K
Scott Sutherland retweetledi
SpecterOps
SpecterOps@SpecterOps·
SCCM admins: review your roles. MSSQL admins: review ALTER ANY LOGIN exposure. @_Mayyhem details CVE-2025-47179 & CVE-2025-49758 and how these escalations can be identified through graph analysis. Check out his blog post for more! ghst.ly/49Fj4fM
English
0
34
81
5.2K
Scott Sutherland retweetledi
The Haag™
The Haag™@M_haggis·
📦 I just released Security-Detections MCP - a way to let LLMs reason over real detection content, not just the internet. This isn’t "AI writes detections for you." It’s: • Threat report in • Coverage + gaps out • Grounded in actual rules (KQL, SPL, Sigma, internal content) The MCP indexes your detection corpus and exposes it in a way LLMs can query, compare, validate, and explain. What this enables: • Faster detection validation • Identifying blind spots before adversaries do • Structured markdown reports you can actually act on • Humans stay in control — AI becomes the force multiplier Repo ➡️ github.com/MHaggis/Securi… 👇Video walkthrough 👇 youtu.be/i9_sZAp8qfI If you’re doing detection engineering, threat hunting, or maintaining a large rule set - this changes how fast you can move. More coming. This is just the start.
YouTube video
YouTube
English
9
60
306
21.1K
Scott Sutherland retweetledi
Kostas
Kostas@Kostastsale·
📢 𝗜’𝗺 𝗮𝗻𝗻𝗼𝘂𝗻𝗰𝗶𝗻𝗴 𝗧𝗵𝗿𝗲𝗮𝘁 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 𝗟𝗮𝗯𝘀, 𝗹𝗮𝘂𝗻𝗰𝗵𝗶𝗻𝗴 𝗻𝗲𝘅𝘁 𝘆𝗲𝗮𝗿! After building threat hunting teams for large MSSPs, creating DFIR Labs for TheDFIRReport, and sharing years of free threat hunting material, I want to bring everything together into one platform. Something closer to how investigations actually work, not another set of CTF-like labs or check-the-box exercises. • 𝗖𝗵𝗼𝗼𝘀𝗲 𝘆𝗼𝘂𝗿 𝗼𝘄𝗻 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗶𝗼𝗻 𝗽𝗮𝘁𝗵: your choices determine how the investigation unfolds. • 𝗡𝗼 𝗺𝗼𝗿𝗲 𝗸𝗲𝘆𝘄𝗼𝗿𝗱 𝗺𝗮𝘁𝗰𝗵𝗶𝗻𝗴. Answers are evaluated on intent and accuracy. • Work directly in 𝗘𝗹𝗮𝘀𝘁𝗶𝗰, 𝗦𝗽𝗹𝘂𝗻𝗸, 𝗼𝗿 𝗔𝘇𝘂𝗿𝗲 𝗗𝗮𝘁𝗮 𝗘𝘅𝗽𝗹𝗼𝗿𝗲𝗿 and learn to investigate and hunt using hypotheses. 𝗧𝗵𝗲 𝘄𝗮𝗶𝘁𝗹𝗶𝘀𝘁 𝗶𝘀 𝗻𝗼𝘄 𝗼𝗽𝗲𝗻!! Those who sign up will receive a founders discount, early beta access, and the opportunity to provide feedback during development. The waitlist will close once a certain number of people have signed up and may reopen later if more testers are needed. This is something I wish existed when I was starting in the industry, and something I still want today. Register now, and more details soon. threathuntinglabs.com
English
17
66
381
31.9K
Scott Sutherland retweetledi
watchTowr
watchTowr@watchtowrcyber·
Today, we’re releasing watchTowr Labs’ @chudyPB’s BlackHat .NET research, owning Barracuda, Ivanti and more solutions. Enjoy the read as Piotr explains a new .NET Framework primitive, used to achieve pre- and post-auth RCE on numerous enterprise appliances. labs.watchtowr.com/soapwn-pwning-…
English
3
110
373
87.1K
Scott Sutherland retweetledi
moo
moo@moo_hax·
For you @Microsoft and my old team. An LLM as an AMSI provider. Could probably use it to detect prompt injection locally into Bing, CoPilot, or the "Agentic OS". AMSI already works with text, so really nothing else required. Layer it with Defender. Proud of the team for pushing boundaries of integration and working with LLMs in constrained spaces. Or wait, do we pivot to an EDR/SOC company?!
dreadnode@dreadnode

"Offense and defense aren't peers. Defense is offense's child." - @JohnLaTwC We built an LLM-powered AMSI provider and paired it against a red team agent. Then, @0xdab0 wrote a blog about it: dreadnode.io/blog/llm-power… A few observations from the experiment: >>> To advance, we must generate unique, ground-truth datasets. >>> Defenses will need to live at the edge. >>> The real potential lies in the interaction between red and blue. >>> This is a blueprint for generative adversarial reinforcement learning.

English
1
6
15
2.3K
Scott Sutherland retweetledi
NetSPI
NetSPI@NetSPI·
How is the AI threat landscape evolving? In the latest Hack Responsibly podcast episode, NetSPI's @kfosaaen sits down with Kim Wiles, Director of AI Penetration Testing, to discuss the critical security challenges facing large language models (LLMs). youtu.be/mPyALe68uvg
YouTube video
YouTube
NetSPI tweet media
English
0
2
2
570
Tim MalcomVetter
Tim MalcomVetter@malcomvetter·
So excited to announce the next chapter: @wirespeed_ is now part of @CoalitionSec (@SolveCyberRisk) where @jreynoldsdev and I will be taking what we've built to the next level for Coalition's > 100K policyholders! "Fastest growing cyber insurer acquires the fastest MDR." 👈 sums it up nicely!
⚡️wirespeed@wirespeed_

⚡️Huge announcement today! We are joining @CoalitionSec! Read more from co-founders @malcomvetter & @jreynoldsdev: wirespeed.co/posts/coalitio…

English
9
2
30
6.6K
Scott Sutherland retweetledi
Karl
Karl@kfosaaen·
Another day, another tool update. We figured out that the Invoke-AzUADeploymentScript MicroBurst function was missed in the "SecureString" token updates, so tokens weren't being extracted. Casting has been fixed and UA-MI tokens are now extracting again! github.com/NetSPI/MicroBu…
English
2
4
13
1.2K
Scott Sutherland retweetledi
Sean Metcalf
Sean Metcalf@PyroTek3·
Last week we covered Active Directory Group Policy permissions (x.com/PyroTek3/statu…). This week, we dig into Active Directory Kerberos delegation. I have mentioned in several presentations that Kerberos delegation is impersonation. Kerberos delegation is used when a service (ex. web server) needs to impersonate a user when connecting to a resource (ex. database). There are a 4 types of Kerberos delegation: * Unconstrained - impersonate authenticated user to any Kerberos service * Constrained - impersonate authenticated user to specific Kerberos services * Kerberos Constrained Delegation Protocol Transition - impersonate any user account to specific Kerberos services * Resource-based Constrained Delegation - enables delegation configured on the resource instead of the account Unconstrained delegation should be converted to constrained delegation due to security concerns. Any Kerberos delegation that is no longer required should be removed. If there's no associated Kerberos service principal name, Kerberos authentication isn't working and this should be fixed or removed. PowerShell code using the Active Directory PowerShell module: github.com/PyroTek3/Misc/… #ActiveDirectorySecurityTip
Sean Metcalf tweet mediaSean Metcalf tweet mediaSean Metcalf tweet media
Sean Metcalf@PyroTek3

Recently, we looked at Active Directory built-in groups (x.com/PyroTek3/statu…) This week, we focus on Active Directory Group Policy Objects (GPOs). GPOs should be audited regularly to identify the configured owner as well as the permissions to ensure they are appropriate. In the provided script, I added a column called default, so you can look for the non-default owners and permissions to correct. Group Policy in Active Directory is very powerful, so it's important to understand who the owners are. The Group Policy Owner can change permissions on the GPO and get edit rights to the GPO. GPO Owner should only be set to "Domain Admins" or "Enterprise Admins". Changing the owner can be done by opening Active Directory Users and Computers (ADUC), going to the View menu option and selecting Advanced. Then browse down to System, Policies. Right-click on the desired GPO ID and select Properties. Then go to the Security tab and click on the Advanced button. Click on the Change option next to the owner and change the owner to "Domain Admins". Review the permissions that are flagged non-default in the script and ensure they are appropriate. No standard users should have Edit rights. Also, edit rights (& full control) on any GPOs linked to the Domain root and the Domain Controllers OU should only be configured for AD Admins (preferably "Domain Admins"). Script leveraging the Group Policy PowerShell module: github.com/PyroTek3/Misc/… #ActiveDirectorySecurityTip

English
1
86
328
30K
Scott Sutherland retweetledi
SpecterOps
SpecterOps@SpecterOps·
👋 Say hello to Nemesis 2.0, a streamlined, Docker Compose-based platform that is laser-focused on file triage. After introducing v1 two years ago, the team has reworked the platform to better serve what people need from it. Read more from @harmj0y. ⤵️ ghst.ly/4mxQzFU
English
1
30
82
6.2K
Scott Sutherland retweetledi
dreadnode
dreadnode@dreadnode·
In our latest blog, @shncldwll breaks down the process of creating a fully integrated, self-verifying agentic system that can do modern Windows Active Directory red team operations, without human interaction. Read about our approach to building cyber evals to measure model performance, improve harnesses, and analyze failure modes: dreadnode.io/blog/evals-the…
dreadnode tweet media
English
0
24
81
13.4K
Scott Sutherland retweetledi
Jared Atkinson
Jared Atkinson@jaredcatkinson·
Your devs aren’t just writing code, they’re holding keys to your kingdom. BloodHound now supports GitHub identities, so you can visualize access and control in your org’s dev pipeline. Check it out at github.com/SpecterOps/Git…
Jared Atkinson tweet media
English
2
40
212
15K

Keşfet

@_Mayyhem @chudyPB @Microsoft @kfosaaen @malcomvetter @wirespeed_ @CoalitionSec @SolveCyberRisk