Andy Robbins

Posts By SpecterOps Team Members - Medium

Intune Attack Paths — Part 1Prior WorkSeveral people have recently produced high-quality work around Intune tradecraft. I want to specifically mention:Chris Thompson and his work on MaestroDirk-jan Mollema and his work with Primary Refresh TokensAdam Chester and his work with Web Account ManagerBrett Hawkins and his work with Intune lateral movement detectionThibault Van Geluwe de Berlaere, ... Read More

BriefThis post details the existing and new functions in BARK that support adversarial tradecraft research relevant to the Azure Key Vault service. The latter part of the post shows an example of how a red team operator may use these commands during the course of an assessment.AuthenticationAzure Key Vault is ... Read More

Zugspitze, Bavaria, Germany. Photo by Andrew ChilesDid you know that it is possible to perform every step in Entra’s OAuth 2.0 Device Code flow — including the user authentication steps — without a browser?Why that matters:Automating authentication flows enables and accelerates comprehensive and ongoing offensive researchHeadless authentication frees red teamers and pentesters from requiring browser or cookie accessDemonstrating ... Read More

Entra ID has a built-in role called “Partner Tier2 Support” that enables escalation to Global Admin, but this role is hidden from view in the Azure portal GUI.Why it mattersAn adversary may target the “Partner Tier2 Support” role to maintain stealthy, privileged persistence in an Entra ID tenantSince the Azure portal GUI obscures ... Read More

Directory.ReadWrite.All is an MS Graph permission that is frequently cited as granting high amounts of privilege, even being equated to the Global Admin Entra ID role.Why it mattersAzure admins and security professionals may put undue focus on this permission at the expense of more impactful permissionsThose more impactful permissions may go ignored, ... Read More

Microsoft Breach — What Happened? What Should Azure Admins Do?On January 25, 2024, Microsoft published a blog post that detailed their recent breach at the hands of “Midnight Blizzard”. In this blog post, I will explain the attack path “Midnight Blizzard” used and what Azure admins and defenders should do to protect themselves ... Read More

I’m proud to announce the availability of BloodHound Community Edition (BloodHound CE)!What you need to know:The free and open-source version of BloodHound is now known as BloodHound CE and will remain free and open-source forever under the Apache 2.0 LicenseBloodHound CE now shares a common code base and documentation with BloodHound Enterprise ... Read More

There’s a new, practical way to escalate from Domain Admin to Enterprise Admin.ESC5You’ve heard of ESC1 and ESC8. But what about ESC5? ESC5 is also known as “Vulnerable PKI Object Access Control”. Will Schroeder and Lee Christensen’s whitepaper mentions three classes of objects when discussing ESC5:The CA server’s AD computer ... Read More

Introducing BloodHound 4.3 — Get Global Admin More OftenDiscover new attack paths traversing Microsoft Graph and seven new Azure Resource Manager objects.Checking out BloodHound for the first time? Here are some handy resources:Get the latest version of BloodHound on GitHubRead our official documentationCome hang out with us in the BloodHound SlackMajor Contributions from BloodHound UsersShoutouts ... Read More

IntroAzure App Service is a Platform-as-a-Service product that promises to improve web application deployment, hosting, availability, and security. Web Apps hosted by Azure App Service are organized into Azure App Service Plans, which are Virtual Machines that the Web Apps in that plan all run on. The individual Web Apps ... Read More