Great, eye-opening video as always John. I manage multiple Entra ID tenants, and will be locking this behaviour down. I might add Graph Runner to my toolset for testing tenant vulnerabilities to illustrate why these things should be locked down.
I was just working on a project to harden our tenant and we were unable to create a dynamic group that had admin privileges. I was frustrated by this as we have hundreds of admins I have to manage and I have to assign admins to these groups manually, but after seeing this I know understand why Microsoft does not allow this. Great video!
So long as there is a defined set of permissions on the group, what objects it can apply to and has PIM with approval behind it, being able to gain new privs, on the fly, and can be dropped automatically, helps.
I think it is fine to defer authority to users to things like sharepoint sites, teams or powerbi workspaces as long as it's limited to your directory right?
imo it's good to have more options, and in some environments it might be necessary, the issue here is that low privilege users might still have a lot of privileges by default, user accounts should have the minimal amount of permissions unless explicitly set by an admin
About whether it's "necessary" that users can invite guests into the tenant ... If your users want to add somebody from outside the organization to an O365 Teams team (which is a common collaboration requirement), they have to add that person as a guest to their organization's tenant. So usually the "Member users and users assigned ... can invite guest users ..." is selected as a more restrictive setting than the default "Anyone".
Another good entry point is the enterprise apps settings in Azure. By default all users are able to register those enterprise apps and also able to grant permissions to them.
Are you sure about that? You’re saying that non-admin users (meaning an account that holds no active role assignments) are capable of applying a role permission to an enterprise app? All users are capable by default of *consenting* to the delegation of permissions to an enterprise app… but the user account must already have had those permissions assigned in the first place.
So, what is to say that the attacker can run a powershell script and not get picked up by the SOC? I guess if we are talking smaller organizations this should get by. Just ramblin
While I was downloading the aurora lite as you said in one of your videos...using brave browser, the browser showed me like "virus detected", am I hacked ...John? It all happened while downloading the aurora lite version on my laptop..
Need some guidance! I have USDT in my SafePal wallet with the seed phrase (obscure disagree shoe question clown holiday Tunnel stock inmate found scan pet). How can I transfer it to Binance?
Unfortunately microsoft has stopped the test-tenant feature for dev accounts. What you can do is register for trial e3 license and when you created the tenant and it asks you for credit card you can abort the process and the tenant is still created and usable (but without licenses)
Great, eye-opening video as always John. I manage multiple Entra ID tenants, and will be locking this behaviour down. I might add Graph Runner to my toolset for testing tenant vulnerabilities to illustrate why these things should be locked down.
Defender's summary:
PIM, PIM for groups, conditional access, access reviews FTW.
(And the user settings you mentioned at 25:15)
Thanks John!
I was just working on a project to harden our tenant and we were unable to create a dynamic group that had admin privileges. I was frustrated by this as we have hundreds of admins I have to manage and I have to assign admins to these groups manually, but after seeing this I know understand why Microsoft does not allow this. Great video!
I might be a dinosaur but I firmly believe that security should not be dynamic, and users should not be able to join or manage their group access
So long as there is a defined set of permissions on the group, what objects it can apply to and has PIM with approval behind it, being able to gain new privs, on the fly, and can be dropped automatically, helps.
well i am new to Entra and azure, can you elaborate why ?
I think it is fine to defer authority to users to things like sharepoint sites, teams or powerbi workspaces as long as it's limited to your directory right?
imo it's good to have more options, and in some environments it might be necessary, the issue here is that low privilege users might still have a lot of privileges by default, user accounts should have the minimal amount of permissions unless explicitly set by an admin
I think, as with all things, it depends on your threat model and specific org.
About whether it's "necessary" that users can invite guests into the tenant ... If your users want to add somebody from outside the organization to an O365 Teams team (which is a common collaboration requirement), they have to add that person as a guest to their organization's tenant. So usually the "Member users and users assigned ... can invite guest users ..." is selected as a more restrictive setting than the default "Anyone".
John is one of the legends in Cybersecurity
That was a good one. Actually checked that in my company's Azure tenant. Thank You :)
Another good entry point is the enterprise apps settings in Azure. By default all users are able to register those enterprise apps and also able to grant permissions to them.
This guy gets it
100%
And too many people seem completely unaware of them
Are you sure about that?
You’re saying that non-admin users (meaning an account that holds no active role assignments) are capable of applying a role permission to an enterprise app?
All users are capable by default of *consenting* to the delegation of permissions to an enterprise app… but the user account must already have had those permissions assigned in the first place.
This is also my understanding but I haven’t toyed around in those menus from a non privileged account
Could you explain this further? How has a normal User theses rights and how can he practically use it?
Beautiful! As always, super clear and fun to watch. Thank you!
I watched this as a sysadmin trying to protect. Glad to be protected from this shenanigans
I love this guys he is s a good teacher and mentor
I watched like a horror movie. It is unbelievable what a hacker can do
So, what is to say that the attacker can run a powershell script and not get picked up by the SOC? I guess if we are talking smaller organizations this should get by.
Just ramblin
Thanks you so much you probably made me a lot better in cyber security ❤❤ I even watched your 12 year old videos 😊
and why you need to do audits of groups/folders/files/users routinely
Another great video, great work John!
Appreciate the video John 👍
I’ve finished my cert iv in cyber security I would like to be a pen tester or a cyber security analyst what do I do now
While I was downloading the aurora lite as you said in one of your videos...using brave browser, the browser showed me like "virus detected", am I hacked ...John? It all happened while downloading the aurora lite version on my laptop..
another microsoft "feature" that is exploited
? Does the icon look any different or the type column say dynamic..ruel here is dont use dynamic groups..yup
Wow this must be interesting
Thanks John
Need some guidance! I have USDT in my SafePal wallet with the seed phrase (obscure disagree shoe question clown holiday Tunnel stock inmate found scan pet). How can I transfer it to Binance?
John, John, John....
Feedback: Satisfied with persistence 🤣
Let me go through this
Doing this to my boss. Hold my beer
How would someone so stupid to create a dynamic group for admins?!
Finally...
is there still no way to set up a m365 sandbox anymore ?
Unfortunately microsoft has stopped the test-tenant feature for dev accounts. What you can do is register for trial e3 license and when you created the tenant and it asks you for credit card you can abort the process and the tenant is still created and usable (but without licenses)
@@dagobert6420 ooo thank you, I have been looking for a solution
How could this be a default behavior 🎉 sometimes I wonder if devs smoke weeds at Microsoft
Your title `How Hackers Persist & Privesc in Microsoft 365` , is `Privesc` and english word? For sure is a romanian one.
It’s a combination of words, ‘Privilege Escalation’, common shorthand in security.
john l love it
type shii ✍️
This title is very confusing to Romanians...
These default configurations are sooooooooooooooo dumb lol
12:32
😃👍👍
Highlights the importance of RBAC and PIM .
First commetor. Thanks
So dumb windows and Microsoft
First
No, Dick. People count sheep to try and sleep. Is dreaming about sheep even much of a thing, possibly outside some sleepy shepherd circles?
maybe record both screens?