Attacking and Defending Azure

Advanced Azure Attacks - Advanced

Azure is widely used by enterprises for a variety of purposes. There is a huge offering of services across various categories in Azure - Identity, Compute, Networking, Storage, Databases, Analytics, Security and many more.

Azure, like any other cloud, changes rapidly and Microsoft keeps adding new defenses both as improvements and new security service offerings.

This advanced class is designed to help security professionals to understand, analyze and practice attacks in an enterprise-like live Azure environment that has effective security controls in place.

The class also focuses on abuse of JWT signing, Family of Client IDs (FOCI), Attribute Based Access Control (ABAC), Temporary Access Password (TAP), Custom Claims, Cross Tenant Access, Azure Lighthouse, Azure ARC, Multi-Cloud Access, Tokens form Office Applications and traffic and Abuse of Kerberos in Entra ID.

Knowing how to attack and defend Azure is a highly sought after skill. Being able to do that against a secure environment is even more critical. This capability demonstrates a deep understanding of Azure red teaming concepts!

What's Included

Red Team Lab, Red Team Certifications, Red Team Trainings, Azure Pentesting, Azure Security

Access to a multi-tenant lab (One/Two/Three months) with live Azure environment. Lab can be accessed using a web browser or VPN.
16+ hours of video course with English captions
Course slides
Lab manual
Kill chain diagrams
Walk-through videos
One Certification Exam attempt for Certified Azure Red Team Expert (CARTE)

What will you Learn?

You will be able to practice and sharpen popular tactics, techniques and procedures (TTPs) for Azure environments. In addition, you will learn how to bypass security controls like Advanced Conditional Access Policies, Multiple ways to bypass MFA that is enforced using different methods, Privileged Identity Management (PIM) and Microsoft Defender for Cloud.

A true step-up in Azure red team training, this course and HUGE lab helps you in understanding and executing some unique and advanced attacks when industry-recommended defenses are actively configured.

The course lab runs on a live Azure environment. Therefore, whatever you learn in the lab is immediately applicable to your job.
Practice attacks on Azure in a unique live lab environment that has multiple Azure tenants, different resources including hybrid identity and on-prem infrastructure and access to Defender for Cloud for Azure resources.
The lab environment makes heave use of recommended security features like Conditional Access Policies, MFA and Defender for Cloud. You learn how to evade these defenses.
There are 4 independent ‘Kill Chains’ included in the lab environment! Students can play for hours and solve the lab with different approaches.
The lab has multiple User simulations for practicing attacks like Device Code Phishing, Illicit Consent Grant, AiTM phishing and other attacks.
The focus of the course and lab is abuse of features. This means that whatever you learn in the course would have a very long shelf life.
Understand the defenses available to counter the discussed attacks and analyze the footprints of the attackers!

Student Pre-requisites

Understanding of Azure security or red teaming. If you are new to Azure security, please go for the basic edition of this class - Attacking and Defending Azure - Basic Edition (https://www.alteredsecurity.com/azureadlab)

Purchase On Demand Lab

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$499

Extension

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

$399

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$699

Reattempt

EXAM
REATTEMPT

$99

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$899

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Certificate Renewal - Only For Existing CARTE Certified Student

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

Extension

30 DAYS LAB ACCESS FOR CERT RENEWAL

$299

Reattempt

ADDITIONAL
RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase
You need a Google account to access the lab portal https://azureadvanced.enterprisesecurity.io/
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Nikhil: Founder of Altered Security, BlackHat USA Trainer, DEF CON Speaker

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure AD, Active Directory attacks, defense and bypassing detection mechanisms.

Nikhil has trained more than 10000 security professionals in private trainings and at the world’s top information security conferences.

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.

He is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/

Selected Conference Talks

1 Evading Microsoft ATA for Active Directory Domination (BlackHat USA 2017 and BruCON 2017)

3 PowerShell for Practical Purple Teaming
(x33fcon 2017)

5 RACE - Minimal Rights and ACE for Active Directory Dominance (DEF CON 2019)

2 AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well it Does it (BlackHat USA 2016)

4 PowerShell for Practical Purple
Teaming (DEF CON 21)

6 0wn-premises: Bypassing Microsoft Defender for Identity (BruCON 2022)

Purchase On Demand Lab

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$499

Extension

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

$399

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$699

Reattempt

EXAM
REATTEMPT

$99

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$899

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Certificate Renewal - Only For Existing CARTE Certified Student

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

Extension

30 DAYS LAB ACCESS FOR CERT RENEWAL

$299

Reattempt

ADDITIONAL
RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase
You need a Google account to access the lab portal https://azureadvanced.enterprisesecurity.io/
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Certified Azure Red Team Expert (CARTE)

The Certified Azure Red Team Expert (CARTE) is a completely hands-on certification. To be certified, a student must solve practical and realistic challenges in a highly secure live multi-Tenant Azure environment.

To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it.

In case you must retake the exam, a re-attempt fee of $99 is applicable. There is a cool down period of one month before a student can appear in the exam again. The student will get an exam environment from the pool of our different exam labs. After total 3 attempts (1 included with the lab and two additional attempts), a student must wait for a cool down period of 6 months.

Certificate Expiry and Renewal

To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it. The renewal exam is FREE before the certificate expires. Please take a look at this blog post for more details: https://www.alteredsecurity.com/post/renewal-process-for-altered-security-certifications

Exam Structure

The exam for CARTE is a 48 hours hands-on exam. The students get access to a dedicated exam lab that contains multiple resources and multiple Azure tenants. The student needs to compromise all the resources across tenants and submit a report.

To be successful, a student must compromise all the resources that are mentioned in the exam page of the course portal and submit a detailed report with proof of completion.

Certificate Benefits

A Certified Azure Red Team Expert (CARTE) certificate holder has demonstrated expertise in running a red team operation against a highly secure enterprise-like Azure environment. They can assess security controls, analyze their efficacy and recommend mitigations against misconfigurations. Due to hands-on nature of the lab and certification, a certificate holder is ready to use the skills to enhance and improve security posture of an organization.

18 Learning Objectives, 4 Kill Chains, 5 Live Azure Tenants, >200 hours of fun!

I. Introduction

Introduction to attack methodology and tools
Microsoft Identity Platform
Introduction to OAuth
Microsoft Graph
Note: Each kill chain covers all phases of an attack against Azure - Information gathering, Initial Access, Enumeration, Privilege Escalation, Lateral Movement, Persistence, Data Mining and Evasion.

II. Kill Chain 1

Learning Objective - 1

Understanding Device Authorization Grant Flow
Initial Access - Device Code Phishing
Executing device code phishing manually
Tools for device code phishing
Initial Access - Dynamic Device Code Phishing
Setting up custom Azure infrastructure for dynamic device code phishing
Privilege Escalation - Understanding and abusing Family of Client IDs (FOCI)
Defense Evasion - Evading MFA
Defenses against Device Code Phishing

Learning Objective - 2

Privilege escalation - Abusing Key vault actions for signing JWT Assertions

Learning Objective - 3

Privilege escalation - Abusing Attributed-based Access Control (ABAC)
Privilege escalation - Abusing application permissions

Learning Objective - 4

Enumerating Conditional Access Policy and finding gaps
MFA Evasion

Learning Objective - 5

Defense evasion - Understanding and abusing Temporary Access Pass (TAP)
Lateral movement - Executing attacks across tenants using Cross-tenant access settings.

Learning Objective - 6

Defense evasion and privilege escalation - Abusing Privileged Identity Management (PIM) role assignments.
MFA bypass

III. Kill Chain 2

Learning Objective - 7

Understanding claims in Entra applications
Initial Access - Abuse of mutable claims in applications
Defense against claims abuse

Learning Objective - 8

Understand Logic apps and their abuse for privilege escalation
Defense evasion - MFA bypass
Lateral movement - Cross tenant movement by abusing B2B collaboration

Learning Objective - 9

Understanding hybrid identity and cloud sync
Cloud to on-prem lateral movement - Abusing cloud sync
Compromising on-prem environment
Lateral movement between on-prem forests
Persistence - Abusing the cloud sync service account

IV. Kill Chain 3

Learning Objective - 10

Understanding GitHub actions and components
Initial access - Abusing GitHub actions

Learning Objective - 11

Enumeration - Authentication strength and conditional access
Defense evasion - Evade phishing-resistant MFA
Data Mining - Extracting sensitive information from automation accounts

Learning Objective - 12

Lateral movement - Accessing EC2 instance
Data mining - Abusing user data
Data mining - Token extraction from office apps using multiple methods
Data mining - Access M365 services using stolen token

Learning Objective - 13

Understanding Microsoft Entra Kerberos and Azure File Shares
Persistence - Abusing Entra App registration for file share
Cloud to on-prem lateral movement - Abusing Microsoft Entra Kerberos

IV. Kill Chain 4

Learning Objective - 14

Understanding consents and permissions in Entra applications
Initial Access - Illicit Consent Grant
Setting up custom Azure infrastructure for Illicit Consent Grant
Data mining - Reading Teams chat
Defense against Illicit Consent Grant

Learning Objective - 15

Defense Evasion - Evade conditional access and MFA
Initial Access - Attacker in The Middle phishing
Privilege Escalation - Session Cookie Replay
Defense evasion - Bypass MFA
Data Mining - Extracting sensitive information from automation accounts

Learning Objective - 16

Understanding Cloud Service Providers and Partners in Azure
Understanding Azure Lighthouse
Privilege Escalation - Abuse service provider permissions

Learning Objective - 17

Understanding Azure Arc
Cloud to on-prem lateral movement - Abusing Arc-enabled servers and extensions
Defense against Arc-enabled servers
Understanding SQL Servers in Azure Arc and Azure SQL Database
On-Prem to cloud lateral movement - Abusing Linked Servers

Learning Objective - 18

Understanding SAML SSO in Entra ID
Privilege Escalation - Abusing SAML SSO to access enterprise applications as other users

azure ad purchse

30 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$499

​30 DAYS LAB EXTENSION + ONE CERTIFICATION EXAM ATTEMPT

$399

60 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$699

EXAM REATTEMPT

$99

90 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$899

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

30 DAYS LAB ACCESS FOR CERT RENEWAL

$299

ADDITIONAL RENEWAL EXAM

$29

Terms of Purchase and Use:

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

EXAM
REATTEMPT

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

ADDITIONAL
RENEWAL EXAM