What im supposed to do

It's my pleasure, thank you for watching. I hope the information was useful.

It's our pleasure, thank you for watching

Thank you for that feedback, Dave, and thank you for watching our video

Thank you for that note, Dave, I will make sure terminals are easily legible the next time we make a video

We are not on Discord or Telegram. You can follow us on: X: twitter.com/SpecterOps LinkedIn: www.linkedin.com/company/specterops Mastodon: infosec.exchange/@SpecterOps You can also join the conversation on our BloodHound Gang Slack channel at ghst.ly/BHSlack

This is regarding the attack path step that Microsoft describes as: "They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications." This is a great question because it may seem as if disabling users' ability to consent to foreign applications would have stopped the attack path in its tracks. But the very next statement Microsoft makes is this: "The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role" What matters in this statement is not the particular app role that was granted. What matters is that this statement is saying the originally compromised service principal had the ability to grant app roles at all. Service principals can only do this by making POST requests to the appRoleAssignedTo MS Graph API endpoint. That action implies that the originally compromised service principal was either already a Global Admin, or had an Entra ID role or MS Graph app role that easily allows promotion of itself to Global Admin, as we detail in this blog post: posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48 So, to finally answer the question: Blocking users from consenting to foreign applications would not have stopped the attack path, because at this point in the path, the adversary already had full control of the entire tenant. They could have simply toggled that setting off, or promoted the new user they created to an admin role that allows that user to consent to foreign apps even if the toggle is set to on.

Thank you

It's our pleasure. Thank you for watching the video

You can view the slides at: ghst.ly/48KrccT

You can view the slides at: ghst.ly/48KrccT

Hi there, are you referring to the pre-built queries? If so, they are available under the Cypher box, then clicking the folder "Open" button on the left-hand side!

Thanks. Found them. @@stephenhinck9204

Hi @user-ye3pq6zv5z, sorry for the delay in answering your question. Unfortunately with the major update from Legacy BloodHound to BloodHound Community Edition, we had to make breaking changes that mean data collected from older versions of SharpHound are not compatible with the latest BloodHound.

FQDN to access something refers to specifying the complete domain name for a resource, including the hostname and the domain suffix (e.g., hostname.example.com) "break it" is related to LLMNR. ( look at the example how he got the NTLM hash. break it means in local networks for name resolution when the DNS resolution fails, typically due to DNS server unavailability or misconfiguration. then the LLMNR coming up to play. try to google how FQDN & LLMNR related to each other.

i swear i thot abt the same thing lol

lol

xdd

😂 spot on