Great, eye-opening video as always John. I manage multiple Entra ID tenants, and will be locking this behaviour down. I might add Graph Runner to my toolset for testing tenant vulnerabilities to illustrate why these things should be locked down.
I was just working on a project to harden our tenant and we were unable to create a dynamic group that had admin privileges. I was frustrated by this as we have hundreds of admins I have to manage and I have to assign admins to these groups manually, but after seeing this I know understand why Microsoft does not allow this. Great video!
About whether it's "necessary" that users can invite guests into the tenant ... If your users want to add somebody from outside the organization to an O365 Teams team (which is a common collaboration requirement), they have to add that person as a guest to their organization's tenant. So usually the "Member users and users assigned ... can invite guest users ..." is selected as a more restrictive setting than the default "Anyone".
So long as there is a defined set of permissions on the group, what objects it can apply to and has PIM with approval behind it, being able to gain new privs, on the fly, and can be dropped automatically, helps.
I think it is fine to defer authority to users to things like sharepoint sites, teams or powerbi workspaces as long as it's limited to your directory right?
imo it's good to have more options, and in some environments it might be necessary, the issue here is that low privilege users might still have a lot of privileges by default, user accounts should have the minimal amount of permissions unless explicitly set by an admin
Another good entry point is the enterprise apps settings in Azure. By default all users are able to register those enterprise apps and also able to grant permissions to them.
Are you sure about that? You’re saying that non-admin users (meaning an account that holds no active role assignments) are capable of applying a role permission to an enterprise app? All users are capable by default of *consenting* to the delegation of permissions to an enterprise app… but the user account must already have had those permissions assigned in the first place.
So, what is to say that the attacker can run a powershell script and not get picked up by the SOC? I guess if we are talking smaller organizations this should get by. Just ramblin
Hi. I have evidently been hacked by someone who really dislikes me and is determined to not let my system run my way. They install vms, several Intel xtu devices, use the printer server and remote desktop. I suspected it may be near me but I need to make sure. I also need to stop them. Any ideas?
While I was downloading the aurora lite as you said in one of your videos...using brave browser, the browser showed me like "virus detected", am I hacked ...John? It all happened while downloading the aurora lite version on my laptop..
Unfortunately microsoft has stopped the test-tenant feature for dev accounts. What you can do is register for trial e3 license and when you created the tenant and it asks you for credit card you can abort the process and the tenant is still created and usable (but without licenses)
wowee zowee, try out jh.live/training for more education and my newsletter at jh.live/newsletter if you want lol
Great, eye-opening video as always John. I manage multiple Entra ID tenants, and will be locking this behaviour down. I might add Graph Runner to my toolset for testing tenant vulnerabilities to illustrate why these things should be locked down.
I was just working on a project to harden our tenant and we were unable to create a dynamic group that had admin privileges. I was frustrated by this as we have hundreds of admins I have to manage and I have to assign admins to these groups manually, but after seeing this I know understand why Microsoft does not allow this. Great video!
About whether it's "necessary" that users can invite guests into the tenant ... If your users want to add somebody from outside the organization to an O365 Teams team (which is a common collaboration requirement), they have to add that person as a guest to their organization's tenant. So usually the "Member users and users assigned ... can invite guest users ..." is selected as a more restrictive setting than the default "Anyone".
I might be a dinosaur but I firmly believe that security should not be dynamic, and users should not be able to join or manage their group access
So long as there is a defined set of permissions on the group, what objects it can apply to and has PIM with approval behind it, being able to gain new privs, on the fly, and can be dropped automatically, helps.
well i am new to Entra and azure, can you elaborate why ?
I think it is fine to defer authority to users to things like sharepoint sites, teams or powerbi workspaces as long as it's limited to your directory right?
imo it's good to have more options, and in some environments it might be necessary, the issue here is that low privilege users might still have a lot of privileges by default, user accounts should have the minimal amount of permissions unless explicitly set by an admin
I think, as with all things, it depends on your threat model and specific org.
John is one of the legends in Cybersecurity
Beautiful! As always, super clear and fun to watch. Thank you!
Another great video, great work John!
Another good entry point is the enterprise apps settings in Azure. By default all users are able to register those enterprise apps and also able to grant permissions to them.
This guy gets it
100%
And too many people seem completely unaware of them
Are you sure about that?
You’re saying that non-admin users (meaning an account that holds no active role assignments) are capable of applying a role permission to an enterprise app?
All users are capable by default of *consenting* to the delegation of permissions to an enterprise app… but the user account must already have had those permissions assigned in the first place.
This is also my understanding but I haven’t toyed around in those menus from a non privileged account
Could you explain this further? How has a normal User theses rights and how can he practically use it?
That was a good one. Actually checked that in my company's Azure tenant. Thank You :)
what to say..thanks for the continuos showcase that is helping understand how the attacks can be done..
Appreciate the video John 👍
I love this guys he is s a good teacher and mentor
I watched like a horror movie. It is unbelievable what a hacker can do
So, what is to say that the attacker can run a powershell script and not get picked up by the SOC? I guess if we are talking smaller organizations this should get by.
Just ramblin
and why you need to do audits of groups/folders/files/users routinely
I watched this as a sysadmin trying to protect. Glad to be protected from this shenanigans
Thanks you so much you probably made me a lot better in cyber security ❤❤ I even watched your 12 year old videos 😊
I’ve finished my cert iv in cyber security I would like to be a pen tester or a cyber security analyst what do I do now
Hi. I have evidently been hacked by someone who really dislikes me and is determined to not let my system run my way. They install vms, several Intel xtu devices, use the printer server and remote desktop. I suspected it may be near me but I need to make sure. I also need to stop them. Any ideas?
While I was downloading the aurora lite as you said in one of your videos...using brave browser, the browser showed me like "virus detected", am I hacked ...John? It all happened while downloading the aurora lite version on my laptop..
? Does the icon look any different or the type column say dynamic..ruel here is dont use dynamic groups..yup
Thanks John
I'm interested to find out how to see what events are triggered on the victim side, anyone else tried looking at this from a logging perspective?
is there still no way to set up a m365 sandbox anymore ?
Unfortunately microsoft has stopped the test-tenant feature for dev accounts. What you can do is register for trial e3 license and when you created the tenant and it asks you for credit card you can abort the process and the tenant is still created and usable (but without licenses)
@@dagobert6420 ooo thank you, I have been looking for a solution
another microsoft "feature" that is exploited
Let me go through this
How would someone so stupid to create a dynamic group for admins?!
Doing this to my boss. Hold my beer
Wow this must be interesting
John, John, John....
Your title `How Hackers Persist & Privesc in Microsoft 365` , is `Privesc` and english word? For sure is a romanian one.
It’s a combination of words, ‘Privilege Escalation’, common shorthand in security.
Privilege escalation
Feedback: Satisfied with persistence 🤣
12:32
How could this be a default behavior 🎉 sometimes I wonder if devs smoke weeds at Microsoft
john l love it
Finally...
type shii ✍️
First commetor. Thanks
These default configurations are sooooooooooooooo dumb lol
This title is very confusing to Romanians...
😃👍👍
So dumb windows and Microsoft
First
No, Dick. People count sheep to try and sleep. Is dreaming about sheep even much of a thing, possibly outside some sleepy shepherd circles?
Highlights the importance of RBAC and PIM .
maybe record both screens?