"##sapp ] - > ( app : sf _ connectedapp ) return p, r, app limit 10 now combine that with the identity graph to find which users can reach a specific app through their profile : match p = ( u : sf _ user ) - [ : hasprofile ] - > ( prof : sf _ profile ) - [ : canaccessapp ] - > ( a…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
74%
"set three years ago probably didn ’ t consider it a path to full org compromise. scenario 2 : connected app exposure via implicit access in the connected app post, i walked through a scenario where an attacker used a malicious connected app to pivot from oauth consent to aws cred…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1552.005Cloud Instance Metadata API
56%
"to custom metadata types containing hardcoded aws credentials, you ’ ve just mapped the exact blast radius i described in that post. with forcehound and bloodhound, you can see it before an attacker exploits it. more useful cypher queries once the graph is in bloodhound, the ques…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
54%
"to custom metadata types containing hardcoded aws credentials, you ’ ve just mapped the exact blast radius i described in that post. with forcehound and bloodhound, you can see it before an attacker exploits it. more useful cypher queries once the graph is in bloodhound, the ques…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1098Account Manipulation
50%
"##data, this query returns the path. but the more interesting case is when the path isn ’ t direct. what if the user doesn ’ t have modifyalldata, but they do have manageusers or assignpermissionsets? match p = ( u : sf _ user ) - [ : hasprofile | haspermissionset ] - > ( ps ) - …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
In Part 2 of the series, Weylon covers how to use ForceHound to visualize Salesforce attack paths in BloodHound CE, identify transitive privilege escalation, and legacy Connected App exposures.