So you really don't think anyone can totally understand kerberos will watch your video😂😅😊
@computerb0y272 ай бұрын
still relevant and good!
@Dandelionq2 ай бұрын
Answer me people cos im stuck
@Dandelionq2 ай бұрын
It didnt generate password
@Dandelionq2 ай бұрын
What im supposed to do
@somnathdeb41092 ай бұрын
Everything is fine..also kindly tell us to remove this whole neo4j server from our system?
@eointhomas29143 ай бұрын
Really enjoyed this vid, I manage some Azure Tenants and all cloud providers are a whole discipline in themselves, so much to look over and keep an eye on
@devkaushik96183 ай бұрын
Learned a lot! Thanks
@z0mn1a4 ай бұрын
Make content losers.
@prisccaviana4 ай бұрын
Man...I had a blast! thank you so much for your brilliant explanation Andy! keep coming!
@robbinsandy4 ай бұрын
It's my pleasure, thank you for watching. I hope the information was useful.
@ashr_4 ай бұрын
Best OS C2 in 2024. Thank you Cody and SpecterOps.
@erilycus4 ай бұрын
Great stuff, got useful for personal project
@faanross4 ай бұрын
oh man this is pure gold thanks!!
@JWieg5 ай бұрын
thanks guys. very very comprehensive overview
@robbinsandy4 ай бұрын
It's our pleasure, thank you for watching
@DaveAitel5 ай бұрын
Having an AUDIENCE for this video that asks questions and clarifies things is GREAT.
@robbinsandy4 ай бұрын
Thank you for that feedback, Dave, and thank you for watching our video
@DaveAitel5 ай бұрын
For next video would appreciate it for us old ppl that you have a SLIGHTLY BIGGER terminal font :)
@robbinsandy4 ай бұрын
Thank you for that note, Dave, I will make sure terminals are easily legible the next time we make a video
@user-zr5ts2qd4h5 ай бұрын
Great Stuff. Do you have a discord link or Telegram?
@specterops5 ай бұрын
We are not on Discord or Telegram. You can follow us on: X: twitter.com/SpecterOps LinkedIn: www.linkedin.com/company/specterops Mastodon: infosec.exchange/@SpecterOps You can also join the conversation on our BloodHound Gang Slack channel at ghst.ly/BHSlack
@josephtillman86395 ай бұрын
Can you elaborate on what you said at 30:55, that disabling user consent would not have prevented SVR from granting consent to the malicious OAuth applications?
@robbinsandy5 ай бұрын
This is regarding the attack path step that Microsoft describes as: "They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications." This is a great question because it may seem as if disabling users' ability to consent to foreign applications would have stopped the attack path in its tracks. But the very next statement Microsoft makes is this: "The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role" What matters in this statement is not the particular app role that was granted. What matters is that this statement is saying the originally compromised service principal had the ability to grant app roles at all. Service principals can only do this by making POST requests to the appRoleAssignedTo MS Graph API endpoint. That action implies that the originally compromised service principal was either already a Global Admin, or had an Entra ID role or MS Graph app role that easily allows promotion of itself to Global Admin, as we detail in this blog post: posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48 So, to finally answer the question: Blocking users from consenting to foreign applications would not have stopped the attack path, because at this point in the path, the adversary already had full control of the entire tenant. They could have simply toggled that setting off, or promoted the new user they created to an admin role that allows that user to consent to foreign apps even if the toggle is set to on.
@vedhex5 ай бұрын
Awesome explanation.
@robbinsandy4 ай бұрын
Thank you
@jenquistable5 ай бұрын
Great session, thanks for uploading it.
@robbinsandy4 ай бұрын
It's our pleasure. Thank you for watching the video
@minnuamir5 ай бұрын
Amazing video! Always love to hear from Andy :)
@Crystalduck16 ай бұрын
So con deez nutz
@fabiorj20086 ай бұрын
please share slide.
@specterops6 ай бұрын
You can view the slides at: ghst.ly/48KrccT
@freeload1016 ай бұрын
Bloodhound is pure terror evey time!
@mcacyber6 ай бұрын
please share slide
@specterops6 ай бұрын
You can view the slides at: ghst.ly/48KrccT
@sunny_disposition6 ай бұрын
This is what makes being on the blue team fun. Red can develop some undetected tradecraft but once that is dropped in an exercise, the best blue teamers will expand that into coverage and tests for all the most generic detects possible over as many variations as nessecary. On Windows alone I’ve seen process injection and friends covered by 9 unique combinations of the related events. And tests for all of them. So while colbalt strike may be the most reliable red team approach for exercises, developing test coverage that can run in CI even remotely reliably is a separate challenge. These issues can often lead to frustration on the red side because blue (in my experience) always need more time than red teamers have the patience for.
@df44237 ай бұрын
Were you going to incorporate the prebuilt analysis paths into the CE version at some point?
@stephenhinck92047 ай бұрын
Hi there, are you referring to the pre-built queries? If so, they are available under the Cypher box, then clicking the folder "Open" button on the left-hand side!
@df44237 ай бұрын
Thanks. Found them. @@stephenhinck9204
@shreyasd67947 ай бұрын
Thankyou
@darthmstrvader7 ай бұрын
Best beard in the business
@pipi_delina8 ай бұрын
It's very interesting tool
@user-ye3pq6zv5z8 ай бұрын
Thanks for this. Just one question though, any options to convert data collected using old legacy Sharphound to the new bloodhound-ce supported format? I noticed that even if I ingest it the UI doesn't give me an error, but the data won't show (I presume the bloodhound-ce doesn't recognize the data collected using with legacy Sharphound). any possibility to make the older data work with CE?
@robbinsandy2 ай бұрын
Hi @user-ye3pq6zv5z, sorry for the delay in answering your question. Unfortunately with the major update from Legacy BloodHound to BloodHound Community Edition, we had to make breaking changes that mean data collected from older versions of SharpHound are not compatible with the latest BloodHound.
@dinlaurencebabia65788 ай бұрын
Can someone help? At 12:57, what does it mean if using FQDN to access something, it will break it?
@behindYOUR62 ай бұрын
FQDN to access something refers to specifying the complete domain name for a resource, including the hostname and the domain suffix (e.g., hostname.example.com) "break it" is related to LLMNR. ( look at the example how he got the NTLM hash. break it means in local networks for name resolution when the DNS resolution fails, typically due to DNS server unavailability or misconfiguration. then the LLMNR coming up to play. try to google how FQDN & LLMNR related to each other.
@sunny_disposition9 ай бұрын
Problems I’ve run into as a detection engineer (blue): * red team NOT willing to share their best tradecraft * red team not understanding the challenge of designing detections that are precise enough to be viable * red team drops undetected kill chain and *mic drops*. “We win, gg”. And gets frustrated with the time it takes for blue to come up with a detection and ship / deploy it, analyze early results, deploy allowlisting, and arrive at a detect worth triaging. Some questions for others doing purps out there in the field: * are you purple teaming on your org’s actual network or a testing (and likely much simpler, less noisy) network? * what info / access are you giving red to start with and what is a successful kill chain? Do they get to drop and exec a file on the box or do they have to start with recon / enumerating the attack surface? * Is there a flag that red must exfil, or is the goal to achieve persistence inside the perim, or domain admin?
@Tathamet10 ай бұрын
Thanks I did not know Shroud knows INFOSEC!
@ajayghale26239 ай бұрын
i swear i thot abt the same thing lol
@M4lch4t8 ай бұрын
lol
@awecwec37205 ай бұрын
xdd
@_RaVeN333 ай бұрын
😂 spot on
@bilmantender581210 ай бұрын
Every time SO drops a new tool I'm like: how do you guys consistently crank out such awesome stuff!!!!
@hauntedmound635810 ай бұрын
I really like this.
@MarshallHallenbeck10 ай бұрын
This talk really helped me understand why this is useful, thanks for posting!
@wolfrevokcats789010 ай бұрын
32:56 This is exactly what happened in HTB Forest. Members of the "Exchange Windows Permissions" group have WriteDacl on the domain. Glad that you explained this part. Suggestion, maybe you guys can do HTB (initial scanning can be skipped), probably not a walkthrough but to just explain the science behind it, how to do it right, and how to defend against this attack
@wolfrevokcats789010 ай бұрын
0:29 ACH file is a fixed-width, ASCII file, with each line exactly 94 characters in length. May I know what so special about this? Thanks Andy and Will for all your great jobs
@Chris-zc9bp11 ай бұрын
I came here to learn how to use merlin. Ended up learning much more. Very well presented and easy to understand. Never knew the difference between HTTP 1,2, and 3. That alone, for me, was very helpful and something I should have known long ago. Like they say, you don't know, what you don't know. Thank you
@neoninsv11 ай бұрын
I guess my only complaint is that I will now have less time for coffee breaks betweeen queries lol. Awesome update!
@HAMETE11 ай бұрын
Great work. This looks amazing. Congratulations to the team 👏
@CyberCelt.11 ай бұрын
Really looking forward to this. I've a file of a few gigabytes from a university that was gonna take hours to import into the current bloodhound. Will try again with this one.
@wolfrevokcats789011 ай бұрын
No audio for this? I click the link and it says that "This video isn't available any more" Anyway, you guys rocks! cc @harmj0y @SpecterOps
@linwoodeaton290711 ай бұрын
*Promosm*
@wolfrevokcats7890 Жыл бұрын
5:49 :schema I did run the same command in neo4j but get different output. Why is that?