Video

Awesome talk! There should be a 2024 version now

Wow amazing

Thanks for posting. 🎉 very interesting

amazing work!

Great talk. Thank you. 🎉

first.

So you really don't think anyone can totally understand kerberos will watch your video😂😅😊

still relevant and good!

Answer me people cos im stuck

It didnt generate password

Everything is fine..also kindly tell us to remove this whole neo4j server from our system?

Really enjoyed this vid, I manage some Azure Tenants and all cloud providers are a whole discipline in themselves, so much to look over and keep an eye on

Learned a lot! Thanks

Make content losers.

Man...I had a blast! thank you so much for your brilliant explanation Andy! keep coming!

Best OS C2 in 2024. Thank you Cody and SpecterOps.

Great stuff, got useful for personal project

oh man this is pure gold thanks!!

thanks guys. very very comprehensive overview

Having an AUDIENCE for this video that asks questions and clarifies things is GREAT.

For next video would appreciate it for us old ppl that you have a SLIGHTLY BIGGER terminal font :)

Great Stuff. Do you have a discord link or Telegram?

Can you elaborate on what you said at 30:55, that disabling user consent would not have prevented SVR from granting consent to the malicious OAuth applications?

Awesome explanation.

Great session, thanks for uploading it.

Amazing video! Always love to hear from Andy :)

So con deez nutz

please share slide.

Bloodhound is pure terror evey time!

please share slide

This is what makes being on the blue team fun. Red can develop some undetected tradecraft but once that is dropped in an exercise, the best blue teamers will expand that into coverage and tests for all the most generic detects possible over as many variations as nessecary. On Windows alone I’ve seen process injection and friends covered by 9 unique combinations of the related events. And tests for all of them. So while colbalt strike may be the most reliable red team approach for exercises, developing test coverage that can run in CI even remotely reliably is a separate challenge. These issues can often lead to frustration on the red side because blue (in my experience) always need more time than red teamers have the patience for.

Were you going to incorporate the prebuilt analysis paths into the CE version at some point?

Thankyou

Best beard in the business

It's very interesting tool

Thanks for this. Just one question though, any options to convert data collected using old legacy Sharphound to the new bloodhound-ce supported format? I noticed that even if I ingest it the UI doesn't give me an error, but the data won't show (I presume the bloodhound-ce doesn't recognize the data collected using with legacy Sharphound). any possibility to make the older data work with CE?

Can someone help? At 12:57, what does it mean if using FQDN to access something, it will break it?

Problems I’ve run into as a detection engineer (blue): * red team NOT willing to share their best tradecraft * red team not understanding the challenge of designing detections that are precise enough to be viable * red team drops undetected kill chain and *mic drops*. “We win, gg”. And gets frustrated with the time it takes for blue to come up with a detection and ship / deploy it, analyze early results, deploy allowlisting, and arrive at a detect worth triaging. Some questions for others doing purps out there in the field: * are you purple teaming on your org’s actual network or a testing (and likely much simpler, less noisy) network? * what info / access are you giving red to start with and what is a successful kill chain? Do they get to drop and exec a file on the box or do they have to start with recon / enumerating the attack surface? * Is there a flag that red must exfil, or is the goal to achieve persistence inside the perim, or domain admin?

Thanks I did not know Shroud knows INFOSEC!

Every time SO drops a new tool I'm like: how do you guys consistently crank out such awesome stuff!!!!

I really like this.

This talk really helped me understand why this is useful, thanks for posting!

32:56 This is exactly what happened in HTB Forest. Members of the "Exchange Windows Permissions" group have WriteDacl on the domain. Glad that you explained this part. Suggestion, maybe you guys can do HTB (initial scanning can be skipped), probably not a walkthrough but to just explain the science behind it, how to do it right, and how to defend against this attack

0:29 ACH file is a fixed-width, ASCII file, with each line exactly 94 characters in length. May I know what so special about this? Thanks Andy and Will for all your great jobs

I came here to learn how to use merlin. Ended up learning much more. Very well presented and easy to understand. Never knew the difference between HTTP 1,2, and 3. That alone, for me, was very helpful and something I should have known long ago. Like they say, you don't know, what you don't know. Thank you

I guess my only complaint is that I will now have less time for coffee breaks betweeen queries lol. Awesome update!

Great work. This looks amazing. Congratulations to the team 👏

Really looking forward to this. I've a file of a few gigabytes from a university that was gonna take hours to import into the current bloodhound. Will try again with this one.

No audio for this? I click the link and it says that "This video isn't available any more" Anyway, you guys rocks! cc @harmj0y @SpecterOps