How Hackers Persist & Privesc in Microsoft 365

Рет қаралды 43,633

John Hammond

Күн бұрын

Пікірлер: 69

@_JohnHammond 23 күн бұрын

wowee zowee, try out jh.live/training for more education and my newsletter at jh.live/newsletter if you want lol

@MatazaNz 2 ай бұрын

Great, eye-opening video as always John. I manage multiple Entra ID tenants, and will be locking this behaviour down. I might add Graph Runner to my toolset for testing tenant vulnerabilities to illustrate why these things should be locked down.

@nicholasmartinez7011 2 ай бұрын

I was just working on a project to harden our tenant and we were unable to create a dynamic group that had admin privileges. I was frustrated by this as we have hundreds of admins I have to manage and I have to assign admins to these groups manually, but after seeing this I know understand why Microsoft does not allow this. Great video!

@muzso 2 ай бұрын

About whether it's "necessary" that users can invite guests into the tenant ... If your users want to add somebody from outside the organization to an O365 Teams team (which is a common collaboration requirement), they have to add that person as a guest to their organization's tenant. So usually the "Member users and users assigned ... can invite guest users ..." is selected as a more restrictive setting than the default "Anyone".

@markc6714 2 ай бұрын

I might be a dinosaur but I firmly believe that security should not be dynamic, and users should not be able to join or manage their group access

@c1ph3rpunk 2 ай бұрын

So long as there is a defined set of permissions on the group, what objects it can apply to and has PIM with approval behind it, being able to gain new privs, on the fly, and can be dropped automatically, helps.

@ahmadmansour1171 2 ай бұрын

well i am new to Entra and azure, can you elaborate why ?

@maaikevreugdemaker9210 2 ай бұрын

I think it is fine to defer authority to users to things like sharepoint sites, teams or powerbi workspaces as long as it's limited to your directory right?

@richieMP118 2 ай бұрын

imo it's good to have more options, and in some environments it might be necessary, the issue here is that low privilege users might still have a lot of privileges by default, user accounts should have the minimal amount of permissions unless explicitly set by an admin

@bolivianPsyOp 2 ай бұрын

I think, as with all things, it depends on your threat model and specific org.

@dagobert6420 2 ай бұрын

Another good entry point is the enterprise apps settings in Azure. By default all users are able to register those enterprise apps and also able to grant permissions to them.

@Duder-y5o 2 ай бұрын

This guy gets it

@37thFrequency 2 ай бұрын

100% And too many people seem completely unaware of them

@50PullUps 2 ай бұрын

Are you sure about that? You’re saying that non-admin users (meaning an account that holds no active role assignments) are capable of applying a role permission to an enterprise app? All users are capable by default of *consenting* to the delegation of permissions to an enterprise app… but the user account must already have had those permissions assigned in the first place.

@bolivianPsyOp 2 ай бұрын

This is also my understanding but I haven’t toyed around in those menus from a non privileged account

@whysoserious.5723 2 ай бұрын

Could you explain this further? How has a normal User theses rights and how can he practically use it?

@gat2871 2 ай бұрын

Beautiful! As always, super clear and fun to watch. Thank you!

@SzymekCRX 2 ай бұрын

That was a good one. Actually checked that in my company's Azure tenant. Thank You :)

@Sam_Bent 2 ай бұрын

Another great video, great work John!

@mohdcom25 2 ай бұрын

John is one of the legends in Cybersecurity

@eddie79it1 Ай бұрын

what to say..thanks for the continuos showcase that is helping understand how the attacks can be done..

@chrisalupului 2 ай бұрын

Appreciate the video John 👍

@Ptysolution 2 ай бұрын

I love this guys he is s a good teacher and mentor

@PeterswoLP 2 ай бұрын

I watched this as a sysadmin trying to protect. Glad to be protected from this shenanigans

@tmac9208 2 ай бұрын

and why you need to do audits of groups/folders/files/users routinely

@AlexTsaava 2 ай бұрын

Thanks you so much you probably made me a lot better in cyber security ❤❤ I even watched your 12 year old videos 😊

@armymdc4 2 ай бұрын

So, what is to say that the attacker can run a powershell script and not get picked up by the SOC? I guess if we are talking smaller organizations this should get by. Just ramblin

@yavuz5458 2 ай бұрын

I watched like a horror movie. It is unbelievable what a hacker can do

@tmac9208 2 ай бұрын

? Does the icon look any different or the type column say dynamic..ruel here is dont use dynamic groups..yup

@TELL_ME_WHY_NOT 2 ай бұрын

Thanks John

@immersiveinment 2 ай бұрын

While I was downloading the aurora lite as you said in one of your videos...using brave browser, the browser showed me like "virus detected", am I hacked ...John? It all happened while downloading the aurora lite version on my laptop..

@Pumbafb 2 ай бұрын

I’ve finished my cert iv in cyber security I would like to be a pen tester or a cyber security analyst what do I do now

@johngoodbrake7056 2 ай бұрын

Doing this to my boss. Hold my beer

@C.ClaytonJones-d8e 2 ай бұрын

Hi. I have evidently been hacked by someone who really dislikes me and is determined to not let my system run my way. They install vms, several Intel xtu devices, use the printer server and remote desktop. I suspected it may be near me but I need to make sure. I also need to stop them. Any ideas?

@innxrmxst2207 2 ай бұрын

12:32

@Zachsnotboard 2 ай бұрын

is there still no way to set up a m365 sandbox anymore ?

@dagobert6420 2 ай бұрын

Unfortunately microsoft has stopped the test-tenant feature for dev accounts. What you can do is register for trial e3 license and when you created the tenant and it asks you for credit card you can abort the process and the tenant is still created and usable (but without licenses)

@Zachsnotboard 2 ай бұрын

@@dagobert6420 ooo thank you, I have been looking for a solution

@jytan740 2 ай бұрын

another microsoft "feature" that is exploited

@uncleburu9464 2 ай бұрын

Wow this must be interesting

@benardtera1090 2 ай бұрын

Let me go through this

@pswalia2u 2 ай бұрын

Feedback: Satisfied with persistence 🤣

@RichDOTDOTcom 2 ай бұрын

I'm interested to find out how to see what events are triggered on the victim side, anyone else tried looking at this from a logging perspective?

@roxyu3384 2 ай бұрын

How would someone so stupid to create a dynamic group for admins?!

@srikeshmaharaj 2 ай бұрын

John, John, John....

@CalinMartinconi 2 ай бұрын

Your title `How Hackers Persist & Privesc in Microsoft 365` , is `Privesc` and english word? For sure is a romanian one.

@c1ph3rpunk 2 ай бұрын

It’s a combination of words, ‘Privilege Escalation’, common shorthand in security.

@kingajaz8580 Ай бұрын

Privilege escalation

@nigellawrence7173 2 ай бұрын

john l love it

@lxn7404 2 ай бұрын

How could this be a default behavior 🎉 sometimes I wonder if devs smoke weeds at Microsoft

@srikeshmaharaj 2 ай бұрын

Finally...

@UkashaHacksCommunity 2 ай бұрын

First commetor. Thanks

@brewdir 2 ай бұрын

These default configurations are sooooooooooooooo dumb lol

@Fisjeie 2 ай бұрын

type shii ✍️

@CristiNeagu 2 ай бұрын

This title is very confusing to Romanians...

@carsonjamesiv2512 2 ай бұрын

😃👍👍

@iamwitchergeraltofrivia9670 2 ай бұрын

So dumb windows and Microsoft

@oussamasky1 2 ай бұрын

First

@chesthoIe 2 ай бұрын

No, Dick. People count sheep to try and sleep. Is dreaming about sheep even much of a thing, possibly outside some sleepy shepherd circles?

@rsinistic 2 ай бұрын

Highlights the importance of RBAC and PIM .

@LinuxJedi 2 ай бұрын

maybe record both screens?