Compass Security Blog

Offensive Defense

Pwn2Own Ireland 2024 – Ubiquiti AI Bullet

Introduction As you may know, Compass Security participated in the 2023 edition of the Pwn2Own contest in Toronto and was able to successfully compromise the Synology BC500 camera using a remote code execution vulnerability. If you missed this, head over to the blog post here https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-1-how-it-all-started/ Unfortunately, the same vulnerability was also identified by other […]

Continue reading

The Dark Side of Azure Identity & Access Management – 5 IAM & Entra ID Security Risks You Can’t Ignore

Microsoft Azure is probably the most widely used cloud platform in Switzerland, powering businesses of all sizes, from startups to multinational companies. According the the official Microsoft page over 95% of Fortune 500 companies rely on Microsoft Azure in one form or another. With this industry-wide adoption, it has become a critical component of modern-day […]

Continue reading

LinkedIn for OSINT: tips and tricks

When it comes to open source intelligence (OSINT), LinkedIn is a treasure trove of information. With millions of professionals voluntarily sharing details about their careers, connections, personal achievements, or keeping up to date with what is happening in their professional sphere, the famous networking platform is not to be underestimated when it comes to OSINT. […]

Continue reading

Renovate – Keeping Your Updates Secure?

Renovate is an OSS CLI/bot that updates your software dependencies automatically. It is usually integrated into the CI/CD process and runs on a schedule. It will create a Pull Request / Merge Request (PR/MR) to your repository with dependency updates. It can optionally auto-merge them. If you host it for several repositories or an organization, it […]

Continue reading

Bypassing BitLocker Encryption: Bitpixie PoC and WinPE Edition

Depending on the customer’s preference, possible initial access vectors in our red teaming exercises typically include deployment of dropboxes, (device code) phishing or a stolen portable device. The latter is usually a Windows laptop protected by BitLocker for full disk encryption without pre-boot authentication i.e. without a configured PIN or an additional key file. While […]

Continue reading

Introducing EntraFalcon – A Tool to Enumerate Entra ID Objects and Assignments

TL;DR: PowerShell tool to enumerate Entra ID objects, assignments and identify highly privileged objects or risky configurations. https://github.com/CompassSecurity/EntraFalcon Entra ID environments can contain thousands of objects – users, groups, service principals, and more – each with unique properties and complex relationships. While manual reviews through the Entra portal might be feasible in smaller environments, they […]

Continue reading

300 Milliseconds to Admin: Mastering DLL Hijacking and Hooking to Win the Race (CVE-2025-24076 and CVE-2025-24994)

As a pentester you are sometimes thrown into projects where you have no idea where you are going to end up. This project was one of those where you were given a customer laptop and the aim was to “find something interesting”, perhaps a misconfiguration on the customer side. The problem was that the laptop […]

Continue reading

I wannabe Red Team Operator

Red Team Operator. A hype-tagged role tag for which one question hits our corporate LinkedIn inbox very often. “Hey there, how can I become a Red Team Operator? Yours sincerely, a recent graduate.” To us, this is like asking how to become a regular starter on a Premier League football team. There’s nothing wrong with […]

Continue reading

Bypassing Web Filters Part 4: Host Header Spoofing & Domain Fronting Detection Bypasses

In the previous posts of this series, we looked at different ways to bypass web filters, such as Host header spoofing and domain fronting. As we’ve learned, these techniques can be detected by proxies employing TLS inspection, by checking whether the hostname in the SNI matches the one in the HTTP Host header. If they […]

Continue reading

Bypassing Web Filters Part 3: Domain Fronting

The last two blog posts in this series were about SNI spoofing and Host header spoofing. We also learned that the latter is addressed by some vendors with a technique called “Domain Fronting Detection”. But what exactly is domain fronting? This will be explained in this blog post.

Continue reading

« Older posts