Cloud Red Team Tactics for Azure – Advanced Edition
This training is only available as a private class
Overview & Course Content
Azure and Entra ID are widely used by enterprises for a variety of purposes. There is a huge offering of services across various categories in Azure - Identity, AI, Compute, Networking, Storage, Databases, Analytics, Security and many more.
Azure, like any other cloud, changes rapidly and Microsoft keeps adding new defenses both as improvements and new security service offerings.
This advanced class is designed to help security professionals to understand, analyze and practice attacks in an enterprise-like live multi-tenant Azure environment that has effective security controls in place.
-
Introduction to attack methodology and tools.
-
Microsoft Identity Platform
-
Introduction to OAuth
-
Microsoft Graph
-
-
Initial Access - Device Code Phishing.
-
Executing device code phishing manually
-
Tools for device code phishing
-
Initial Access - Dynamic Device Code Phishing
-
Setting up custom Azure infrastructure for dynamic device code phishing
-
-
Privilege Escalation - Understanding and abusing Family of Client IDs (FOCI).
-
Defense Evasion - Evading MFA.
-
Defenses against Device Code Phishing.
-
Privilege escalation - Abusing Key vault actions for signing JWT Assertions.
-
Privilege escalation - Abusing Attributed-based Access Control (ABAC).
-
Privilege escalation - Abusing application permissions.
-
MFA Evasion (Exclusions in Conditional Access Policies).
-
Defense evasion - Understanding and abusing Temporary Access Pass (TAP)
-
Lateral movement - Executing attacks across tenants using Cross-tenant access settings.
-
Defense evasion and privilege escalation - Abusing Privileged Identity Management (PIM) role assignments.
-
MFA bypass for PIM role activation
-
Initial Access - Abuse of mutable claims in applications
-
Defense against claims abuse
-
Understand Logic apps and their abuse for privilege escalation
-
Cross tenant movement by abusing B2B collaboration
-
Cloud to on-prem lateral movement - Abusing cloud sync
-
Persistence - Abusing the cloud sync service account
-
Initial access - Abusing Ai Agents and GitHub actions
-
Enumeration - Authentication strength and conditional access
-
Defense evasion - Evade phishing-resistant MFA
-
Lateral movement - Accessing EC2 instance
-
Data mining - Token extraction from office apps using multiple methods
-
Data mining - Access M365 services using stolen token
-
Understanding Microsoft Entra Kerberos and Azure File Shares
-
Cloud to on-prem lateral movement - Abusing Microsoft Entra Kerberos
-
Understanding consents and permissions in Entra applications
-
Initial Access - Illicit Consent Grant
-
Setting up custom Azure infrastructure for Illicit Consent Grant
-
-
Data mining - Reading Teams chat
-
Defense against Illicit Consent Grant
-
Defense Evasion - Evade conditional access, CAE and MFA
-
Initial Access - Attacker in The Middle phishing
-
Privilege Escalation - Session Cookie Replay
-
Defense evasion - Bypass MFA
-
Understanding Cloud Service Providers and Partners in Azure
-
Understanding Azure Lighthouse
-
Privilege Escalation - Abuse service provider permissions
-
Understanding Azure Arc
-
Cloud to on-prem lateral movement - Abusing Arc-enabled servers and extensions
-
Defense against Arc-enabled servers
-
Understanding SQL Servers in Azure Arc and Azure SQL Database
-
On-Prem to cloud lateral movement - Abusing Linked Servers
-
Privilege Escalation - Abusing SAML SSO to access enterprise applications as other users
You get two months access to a live Azure lab environment containing multiple tenants during and after the class and an attempt to the Certified by AlteredSecurity Red Team Expert for Azure (CARTE) certification exam.
Who should take this course?
Red teamers and penetration testers who want to take their Azure Red Team skills to the next level should take this class. Blue teamers, Azure administrators and security professionals who want to understand the approach and techniques of advanced adversaries should take this class.
What's Included
-
Access to a multi-tenant lab (One/Two/Three months) with live Azure environment. Lab can be accessed using a web browser or VPN.
-
A ready to use student VM in the cloud that has all the tools pre-installed.
-
Life time access to all the learning material (including course updates).
-
16+ hours of video course with English captions.
-
Course slides.
-
Lab manual.
-
Kill chain diagrams.
-
Walk-through videos.
-
One exam attempt for Certified by Altered Security Red Team Expert for Azure (CARTE).
-
Support on email and Discord.
What will you Learn?
You will be able to practice and sharpen popular tactics, techniques and procedures (TTPs) for Azure environments. In addition, you will learn how to bypass security controls like Advanced Conditional Access Policies, Multiple ways to bypass MFA that is enforced using different methods, Privileged Identity Management (PIM) and Microsoft Defender for Cloud.
A true step-up in Azure red team training, this course and HUGE lab helps you in understanding and executing some unique and advanced attacks when industry-recommended defenses are actively configured.
-
The course lab runs on a live Azure environment. Therefore, whatever you learn in the lab is immediately applicable to your job.
-
Practice attacks on Azure in a unique live lab environment that has multiple Azure tenants, different resources including hybrid identity and on-prem infrastructure and access to Defender for Cloud for Azure resources.
-
The lab environment makes heave use of recommended security features like Conditional Access Policies, MFA and Defender for Cloud. You learn how to evade these defenses.
-
There are 4 independent ‘Kill Chains’ included in the lab environment! Students can play for hours and solve the lab with different approaches.
-
The lab has multiple User simulations for practicing attacks like Device Code Phishing, Illicit Consent Grant, AiTM phishing and other attacks.
-
The focus of the course and lab is abuse of features. This means that whatever you learn in the course would have a very long shelf life.
-
Understand the defenses available to counter the discussed attacks and analyze the footprints of the attackers!
Prerequisites for the course
-
Understanding of Azure security or red teaming. If you are new to Azure security, please go for the basic edition of this class - Certified by Altered Security Red Team Professional for Azure - Basic Edition (https://www.alteredsecurity.com/azureadlab)
Top 3 takeaways
1
This course allows students to practice attacks on Microsoft recommended security controls (CAP, CAE, MFA and Defender for Cloud) in a live lab. These techniques can be directly applied in a red team operation in their job.
2
The focus of the course and lab is abuse of features. This means that whatever you learn in the course would have a very long shelf life.
3
Students can understand the defenses available to counter the discussed attacks and analyze the footprints of the attackers!
About the Trainer
Nikhil is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com. As a global leader in cybersecurity education, he has nurtured the field, helping bring it from niche groups to the mainstream.
Nikhil’s areas of interest include red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.
He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure, Active Directory attacks, defense and bypassing detection mechanisms. Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world's top information security conferences.
He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.