Attacking & Defending Azure AD Lab (CARTP)

Attacking and Defending Azure Lab Objective:

More than 95 percent of Fortune 500 use Azure today! A huge number of organizations now use Azure AD as an Identity and Access Management platform using the hybrid cloud model. This makes it imperative to understand the risks associated with Azure as it contains an enterprises infrastructure, apps, identities and a lot more!

In addition to cloud-only identity, the ability to connect on-prem Active Directory, applications and infrastructure to Azure AD brings some very interesting opportunities and risks too. Often complex to understand, this setup of components, infrastructure and identity is a security challenge.

This hands-on training aims towards abusing Azure, Azure AD and a number of services offered by it. We will cover multiple complex attack lifecycles against a lab containing multiple live Azure tenants.

All the phases of Azure red teaming and pentesting – Discovery, Initial access, Enumeration, Privilege Escalation, Lateral Movement, Persistence and Data mining are covered. We will also discuss detecting and monitoring for the techniques we use.

The course is a mixture of fun, demos, exercises, hands-on and lecture. The training focuses more on methodology and techniques than tools.

If you are a security professional trying to improve your skills in Azure cloud security, Azure Pentesting or Red teaming the Azure cloud this is the right class for you!

What's Included

Red Team Lab, Red Team Certifications, Red Team Trainings, Azure Pentesting, Azure Security

Access to a lab environment (One/Two/Three months) with live Azure environment. Lab can be accessed using a web browser or VPN.
15+ hours of video course with English captions
Course slides
Lab manual
Kill chain and Threat Matrix diagrams
Walk-through videos
One Certification Exam attempt

What will you Learn?

This course helps in upskilling to one of the most coveted skill in information security – Azure security. Drawing from our experience of more than a decade to teach at hacker conferences, this hands-on course helps someone in improving their Azure security skills. The course lab is designed in a way that students can solve it in multiple ways! The lab also includes a CTF for those students who would like more challenge.

The course lab runs on a live Azure environment. Therefore, whatever you learn in the lab is immediately applicable to your job.
Practice attacks on Azure in a unique live lab environment that has multiple Azure tenants and a large number of different resources including hybrid identity and on-prem infrastructure.
There are 4 independent ‘Kill Chains’ and 1 CTF included in the lab environment! Students can play for hours and solve the lab with different approaches.
The lab has User simulations for practicing Illicit Consent Grant and other phishing attacks.
The focus of the course and lab is abuse of features. This means that whatever you learn in the course would have a very long shelf life.
Understand Azure security concepts and apply them in a unique lab environment.
Understand the defenses available to counter the discussed attacks and analyze the footprints of the attackers!

Student Pre-requisites

Basic understanding of Azure is desired but not mandatory.

Purchase On Demand Lab

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$449

Extension

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

$349

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$649

Reattempt

EXAM
REATTEMPT

$99

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$849

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Certificate Renewal - Only For Existing CARTP Certified Student

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

Extension

30 DAYS LAB ACCESS FOR CERT RENEWAL

$269

Reattempt

ADDITIONAL
RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase
You need a Google account to access the lab portal azureadlab.enterprisesecurity.io
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Nikhil: Founder of Altered Security, BlackHat USA Trainer, DEF CON Speaker

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure AD, Active Directory attacks, defense and bypassing detection mechanisms.

Nikhil has trained more than 10000 security professionals in private trainings and at the world’s top information security conferences.

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.

He is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/

Selected Conference Talks

1 Evading Microsoft ATA for Active Directory Domination (BlackHat USA 2017 and BruCON 2017)

3 PowerShell for Practical Purple Teaming
(x33fcon 2017)

5 RACE - Minimal Rights and ACE for Active Directory Dominance (DEF CON 2019)

2 AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well it Does it (BlackHat USA 2016)

4 PowerShell for Practical Purple
Teaming (DEF CON 21)

6 0wn-premises: Bypassing Microsoft Defender for Identity (BruCON 2022)

Purchase On Demand Lab

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$449

Extension

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

$349

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$649

Reattempt

EXAM
REATTEMPT

$99

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$849

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Certificate Renewal - Only For Existing CARTP Certified Student

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

Extension

30 DAYS LAB ACCESS FOR CERT RENEWAL

$269

Reattempt

ADDITIONAL
RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase
You need a Google account to access the lab portal azureadlab.enterprisesecurity.io
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Certified Azure Red Team Professional (CARTP)

The Certified Azure Red Team Professional (CARTP) is a completely hands-on certification. To be certified, a student must solve practical and realistic challenges in a live multi-Tenant Azure environment.

To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it.

In case you must retake the exam, a re-attempt fee of $99 is applicable. There is a cool down period of one month before a student can appear in the exam again. The student will get an exam environment from the pool of our different exam labs. After total 3 attempts (1 included with the lab and two additional attempts), a student must wait for a cool down period of 6 months.

Certificate Expiry and Renewal

To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it. The renewal exam is FREE before the certificate expires. CARTP can also be renewed by taking CARTE. Please take a look at this blog post for more details: https://www.alteredsecurity.com/post/renewal-process-for-altered-security-certifications

Exam Structure

The exam for CARTP is a 24 hours hands-on exam. The students get access to a dedicated exam lab that contains multiple resources and multiple Azure tenants. The student needs to compromise all the resources across tenants and submit a report.

To be successful, a student must compromise all the resources that are mentioned in the exam page of the course portal and submit a detailed report with proof of completion.

Certificate Benefits

A Certified Azure Red Team Professional (CARTP) holder has demonstrated the skills to understand and assess security of an Azure environment. A certificate holder would have practical knowledge of assessing security of an Azure tenant.

A non-exhaustive list of skills and techniques that the certification holder has demonstrated:

Azure services Discovery
Initial Access Attacks (Enterprise Apps, App Services, Function Apps, Insecure Storage, Phishing, Consent Grant Attacks)
Authenticated Enumeration (Storage Accounts, Key vaults, Blobs, Automation Accounts, Deployment Templates etc)
Privilege Escalation (RBAC roles, Azure AD Roles, Across subscriptions)
Lateral Movement (Pass-the-PRT, Across Tenant, cloud to on-prem, on-prem to cloud)
Persistence techniques (Hybrid Identity, Golden SAML, Service Principals, Dynamic Groups)
Data Mining
Defenses and Bypasses

26 Learning Objectives, 77 tasks, 7 Live Azure Tenants, >140 hours of fun!

I. Introduction

Understand Azure and Azure AD.
Learn Azure Architecture and role assignments.
Learn concepts like Management Groups, Subscription, Resource Groups, Resources, ARM, Managed Identity etc.
Understand Azure AD roles and their relationship with Azure.
Understand the attack methodology and Azure Kill Chain.

II. Recon & Discovery

Use OSINT and unauthenticated enumeration techniques to learn about a target organization.
Gather information about the target tenant.
Discover services used by an organization in Azure using subdomain enumeration.
Know how to validate email IDs for an organization.
Understand the default permissions that an Azure AD user has in a tenant.

III. Initial Access

Understand opsec fails when using attacks like password spraying in the cloud
Learn about MS Graph API permissions. Understand the differences between the low impact permissions and high impact ones.
Execute Illicit Consent Grant attack for initial access against multiple user simulations in the lab. Go from a simple access token to workstation compromise and further.
Abuse internet facing web applications to get a foothold. Use Managed Identity assigned to the web applications for further access.
Abuse Insecure storage accounts.
Execute phishing attacks against a user simulation to get their clear-text credentials.
Use application credentials to access the target tenant.
Abuse CI/CD to get access to an Azure tenant by compromising a GitHub account

IV. Enumeration

Enumerate information from Azure AD about users, groups, devices, service principals, applications, and roles.
Map attack paths by listing objects owned by an Azure AD object.
Learn to use Microsoft’s tools like Azure AD Module, Az PowerShell and Az CLI for enumeration.
Understand device identities and map attack paths by enumerating active devices, device owners and state.
Find abusable service principals and applications by looking at applications that have application password, ownership of applications and roles.
Enumerate information from Azure about resources like Virtual Machines, Storage Accounts, Key vaults, Blobs, Automation Accounts, Deployment Templates, App Services, Function Apps and many more.
Enumerate role assignments to map attack paths.
Learn to use tools like ROADRecon and Azure Hound for enumeration. Understand the difference between enumerating Azure AD and on-prem AD.
Learn to use ARM and MS Graph REST API for enumeration.

V. Privilege Escalation

Abuse services like Automation accounts, Key Vaults, Storage Accounts, Deployment History and more for horizontal and vertical privilege escalation in Azure.
Escalate privileges in Azure AD and Azure by abusing Custom roles.
Abuse permissions on other resources (like Ownership, ability to add application password and role assignments) to escalate privileges.
Abuse Custom Script Extension and RunCommand privileges to run commands as SYSTEM on Azure VMs.
Understand Dynamic Groups and abuse the membership rule to get membership of a dynamic group.

VI. Lateral Movement

Abuse Hybrid workers using Runbooks in Automation accounts to move from Azure tenant to on-prem machines.
Execute lateral movement from GitHub to Azure tenant by abusing GitHub actions and deployment to a Function App.
Execute Pass-The-PRT attack to replay PRT cookie of a user to access cloud apps that the user can access.
Abuse Intune to execute commands on on-prem machines.
Perform attacks against applications using Application proxy to execute cloud-to-onprem lateral movement.
Gain a deep understanding of how Hybrid Identity models (PHS, PTA and Federation) can be abused to execute onprem-to-cloud lateral movement.

VII. Persistence

Understand the persistent opportunities when a hybrid identity is used.
Know that features like SSO implemented using AZUREADSSOACC can be abused for persistence.
Understand the criticality of Azure AD Connect server and how OS level persistence on such a machine can be used to compromise both the on-prem and cloud infrastructure.
Get in-depth knowledge of attacks like Skeleton key in the cloud and Golden SAML attack.
Understand the persistence opportunities for Azure resources like storage accounts, applications and service principals, consents and permissions, Azure VMs and NSGs, Custom Azure and Azure AD roles etc.

VIII. Data Mining

Extract secrets from Key vaults by abusing managed identity.
Mapping attack paths by reading role assginments.
Extract secrets from deployment history.
Extract clear-text application passwords and tokens from a compromised Azure user’s workstation.
Extract secrets from blob storage.

IX. Defenses

Understand defense guidance from Microsoft in different categories.
Get in-depth knowledge of Conditional Access Polices, Privileged Identity Management, Azure AD Identity Protection, Microsoft Defender for Cloud and its features like Just-in-time access, Adaptive Network Hardening, Adaptive Application Control and File Integrity Monitoring
Understand Continuous Access Evaluation and its impact on access token replay.
Know about various ways of enforcing MFA in Azure AD.

X. Defenses Bypass

Learn the most widely used Conditional Access Policies and practice their bypasses.
Practice opsec to avoid detections by Azure AD Identity Protection.
Understand the methods that can be used to bypass MFA.
Bypass Cloud Workload Protection by Microsoft Defender for Cloud like JIT, ANH, NSGs and Azure Firewall to access VMs.

azure ad purchse

30 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$449

​30 DAYS LAB EXTENSION + ONE CERTIFICATION EXAM ATTEMPT

$349

60 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$649

EXAM REATTEMPT

$99

90 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$849

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

30 DAYS LAB ACCESS FOR CERT RENEWAL

$269

ADDITIONAL RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase

You need a Google account to access the lab portal azureadlab.enterprisesecurity.io

One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each

Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security

The above lab is a shared environment and certain pre-specified machines will be off-limits

If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

EXAM
REATTEMPT

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

ADDITIONAL
RENEWAL EXAM