Update Offender-365.md

0v3rride · Dec 18, 2024 · 21b0dc6 · 21b0dc6
1 parent e39527f
commit 21b0dc6
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/Posts/Offender-365.md b/Posts/Offender-365.md
@@ -6,7 +6,7 @@ I recently completed the MCRTP exam from Pwnedlabs. The course offered a lot of
 The main question I kept asking myself was if other services or scopes could be leveraged in some way within an organization’s tenant? It was mentioned during the MCRTP course that others were looking into Intune as one possible way. However, I had a different idea. What about using the blue team's tools against them? 
 
 ## TLDR 
-If you get access to a principal who has the security reader, security operator or security administrator [Entra role](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference) assigned to it, or if you get an access token with the `ThreatHunting.Read.All` (Microsoft Graph Security API) or `AdvancedHunting.Read.All` (Microsoft Threat Protection) API permission/role. Then you can see all of the resources deployed in the tenant using the ExposureGraphNode schema in advanced threat hunting. These resources include sites, function apps, databases and their respective tables, storage accounts and their respective containers, key vaults, VMs, VNets, public IP addresses and more. Also, if you ever have the ability to start live response sessions and are able to do it on a high value machine like a domain controller. Then, you're basically `domain admin` and possibly well on your way to escalating to `global administrator`.
+If you get access to a principal who has the security reader, security operator or security administrator [Entra role](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference) assigned to it, or if you get an access token with the `ThreatHunting.Read.All` (Microsoft Graph Security API) or `AdvancedHunting.Read.All` (Microsoft Threat Protection) API permission/role. Then you can see all of the resources deployed in the tenant using the ExposureGraphNode schema in advanced threat hunting. These resources include sites, function apps, databases and their respective tables, storage accounts and their respective containers, key vaults, VMs, VNets, public IP addresses and more. Also, if you ever have the ability to start live response sessions and are able to do it on a high value machine like a domain controller. Then you're basically `domain admin` and possibly well on your way to escalating to `global administrator`.
 
 ## Defender 365