วีดีโอ

i have this error Gracefully stopping... (press Ctrl+C again to force) Error response from daemon: Ports are not available: exposing port TCP 127.0.0.1:8 080 -> 0.0.0.0:0: listen tcp 127.0.0.1:8080: bind: An attempt was made to access a socket in a way forbidden by its access permissions.

Top tier stuff.

28:42 was not expecting to see a reference to Zeno's Paradox, specifically the "Dichotomy Paradox", in a purple team video :)

shroud, king of reddit, is now AD red teamer. What a legend!

wow!

dumb vid, thats how the tech works

That’s not unique to password hash synchronization.

the mythic c2 command prompt is really neat how you can minimize or expand the output with the toggle button. I don't know why cobalt strike doesn't have that (it might for new versions im thinking of 4.5)

I've been meaning to get a better understanding of this, and low and behold SpectorOps appears in my feed 😁

It's an asymptote @ 28:35

Awesome talk! There should be a 2024 version now

Wow amazing

Thanks for posting. 🎉 very interesting

amazing work!

Great talk. Thank you. 🎉

first.

So you really don't think anyone can totally understand kerberos will watch your video😂😅😊

still relevant and good!

Answer me people cos im stuck

It didnt generate password

Everything is fine..also kindly tell us to remove this whole neo4j server from our system?

Really enjoyed this vid, I manage some Azure Tenants and all cloud providers are a whole discipline in themselves, so much to look over and keep an eye on

Learned a lot! Thanks

Make content losers.

Man...I had a blast! thank you so much for your brilliant explanation Andy! keep coming!

Best OS C2 in 2024. Thank you Cody and SpecterOps.

Great stuff, got useful for personal project

oh man this is pure gold thanks!!

thanks guys. very very comprehensive overview

Having an AUDIENCE for this video that asks questions and clarifies things is GREAT.

For next video would appreciate it for us old ppl that you have a SLIGHTLY BIGGER terminal font :)

Great Stuff. Do you have a discord link or Telegram?

Can you elaborate on what you said at 30:55, that disabling user consent would not have prevented SVR from granting consent to the malicious OAuth applications?

Awesome explanation.

Great session, thanks for uploading it.

Amazing video! Always love to hear from Andy :)

So con deez nutz

please share slide.

Bloodhound is pure terror evey time!

please share slide

This is what makes being on the blue team fun. Red can develop some undetected tradecraft but once that is dropped in an exercise, the best blue teamers will expand that into coverage and tests for all the most generic detects possible over as many variations as nessecary. On Windows alone I’ve seen process injection and friends covered by 9 unique combinations of the related events. And tests for all of them. So while colbalt strike may be the most reliable red team approach for exercises, developing test coverage that can run in CI even remotely reliably is a separate challenge. These issues can often lead to frustration on the red side because blue (in my experience) always need more time than red teamers have the patience for.

Were you going to incorporate the prebuilt analysis paths into the CE version at some point?

Thankyou

Best beard in the business

It's very interesting tool

Thanks for this. Just one question though, any options to convert data collected using old legacy Sharphound to the new bloodhound-ce supported format? I noticed that even if I ingest it the UI doesn't give me an error, but the data won't show (I presume the bloodhound-ce doesn't recognize the data collected using with legacy Sharphound). any possibility to make the older data work with CE?

Can someone help? At 12:57, what does it mean if using FQDN to access something, it will break it?

Problems I’ve run into as a detection engineer (blue): * red team NOT willing to share their best tradecraft * red team not understanding the challenge of designing detections that are precise enough to be viable * red team drops undetected kill chain and *mic drops*. “We win, gg”. And gets frustrated with the time it takes for blue to come up with a detection and ship / deploy it, analyze early results, deploy allowlisting, and arrive at a detect worth triaging. Some questions for others doing purps out there in the field: * are you purple teaming on your org’s actual network or a testing (and likely much simpler, less noisy) network? * what info / access are you giving red to start with and what is a successful kill chain? Do they get to drop and exec a file on the box or do they have to start with recon / enumerating the attack surface? * Is there a flag that red must exfil, or is the goal to achieve persistence inside the perim, or domain admin?

Thanks I did not know Shroud knows INFOSEC!

Every time SO drops a new tool I'm like: how do you guys consistently crank out such awesome stuff!!!!