About The Training

More than 95 percent of Fortune 500 use Azure today! A huge number of organizations now use Entra ID as an Identity and Access Management platform. This makes it imperative to understand the risks associated with Azure as identities of users across an enterprise are authenticated using it.

This hands-on training aims towards abusing Azure and a number of services offered by it. We will cover multiple complex attack lifecycle against a lab containing multiple live Azure tenants.

Non-exhaustive list of topics:

• Introduction to Azure
• Discovery and Recon of services and applications
• Enumeration
• Initial Access Attacks
• Enumeration post authentication
• Privilege Escalation
• Lateral Movement
• Persistence techniques
• Data Mining
• Defenses, Monitoring and Auditing
• Bypassing Defenses

You get one month access to a live Azure lab environment containing multiple tenants during and after the class and an attempt to Certified Azure Red Team Professional (CARTP) certification

Basic - Intermediate 

Discovery and Recon of cloud services

• Introduction and Methodology of the course
• Getting Started with the lab

Introduction to Azure and Entra ID

• Services
• Concepts
• Comparison with on-prem
• Authentication, APIs and tokens

Discovery and Recon of services and applications

Enumeration in Azure

• Using Azure Portal, Az PowerShell and Az CLI
• Open source tools for enumeration (ROADTools, StormSpotter, AzureHound)

Initial Access Attacks

• By abusing Enterprise Apps, App Services, Function Apps and Insecure Storage
• Execute Phishing against MFA
• Consent Grant Attacks

Authenticated Enumeration (Storage Accounts, Key vaults, Blobs, Automation Accounts, Deployment Templates etc.)

Privilege Escalation (RBAC roles, Entra Roles, Automation Accounts, Group Ownership, Enterprise Apps, Managed Identity) (75 minutes)

Lateral Movement (Pass-the-PRT, Pass-the-Certificate, Across Tenant, cloud to on-prem, on-prem to cloud, Hybrid Identity, Continuous Deployment)

Persistence techniques (Enterprise Apps, Hybrid Identity, Dynamic Groups, VMs, NSGs, DevOps)

Data Mining using IAM, Deployment History, Code Repositories and storage accounts

Defenses, Monitoring and Auditing and Bypassing Defenses

• Azure Security categorization
• Microsoft Defender for Cloud
• Privileged Identity Management
• Conditional Access
• Just-in-Time Access
• Identity Protection
• Monitoring using Azure Monitor
• Continuous Access Evluation
• Azure Sentinel

• System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.
• Privileges to disable/change any antivirus or firewall. 

Basic understanding of Azure and Cloud Security.

Red teamers and penetration testers who want to improve on their Azure attack skills should take this class. Blue teamers, Azure administrators and security professionals who want to understand the approach and techniques of adversaries should take this class.

• The course helps the students in learning and understanding attacks against an organization that is using Azure by executing a full 'kill chain'/attack lifecycle
• Students get to practice attacks on Azure in a live lab environment that has multiple Azure tenants and a large number of different resources including hybrid identity and on-prem infrastructure. We really have invested a lot in making these labs fun, stable and compliant to Microsoft directives. The lab is an Azure cloud playground and students can solve it in multiple ways.
• Students can understand the defenses available to counter the discussed attacks and analyze the footprints of the attackers!

Attendees will get free one month access to an Azure playground/lab configured like an Enterprise network, during and after the training. In addition to that, learning aids like course slides, lab manual, walk-through videos and lab support.

Azure is a huge cloud platform. We could cover only the most popular services in Azure. Please do not expect discussion on a large number of services.