Azure AD Attacks for Red and Blue Teams – Basic Edition

Course Description

More than 95 percent of Fortune 500 use Azure today! A huge number of organizations now  use Azure AD as an Identity and Access Management platform using the hybrid cloud model.  This makes it imperative to understand the risks associated with Azure AD as not only the  Windows infrastructure and apps use it but also identities of users across an enterprise are  authenticated using it. 

In addition to cloud-only identity, the ability to connect on-prem Active Directory, applications  and infrastructure to Azure AD brings some very interesting opportunities and risks too. Often complex to understand, this setup of components, infrastructure and identity is a security  challenge. This hands-on training aims towards abusing Azure AD and a number of services offered by it.  We will cover multiple complex attack lifecycles against a lab containing multiple live Azure  tenants.  

All the phases of Azure red teaming and pentesting – Recon, Initial access, Enumeration,  Privilege Escalation, Lateral Movement, Persistence and Data mining are covered. We will also  discuss detecting and monitoring for the techniques we use. 

The course is a mixture of fun, demos, exercises, hands-on and lecture. The training focuses  more on methodology and techniques than tools.  

If you are a security professional trying to improve your skills in Azure AD cloud security, Azure  Pentesting or Red teaming the Azure cloud this is the right class for you!

Attendees will get free one month access to a lab configured like an Enterprise azure,  during and after the training.

Course contents

Module 1 

  • Introduction to Azure AD 
  • Discovery and Recon of services and applications  
  • Enumeration 
  • Initial Access Attacks (Enterprise Apps, App Services, Logical Apps, Function Apps,  Unsecured Storage, Phishing, Consent Grant Attacks) 

Module 2 

  • Authenticated Enumeration (Storage Accounts, Key vaults, Blobs, Automation Accounts,  Deployment Templates etc.) 
  • Privilege Escalation (RBAC roles, Azure AD Roles, Across subscriptions) 

Module 3 

  • Lateral Movement (Pass-the-PRT, Pass-the-Certificate, Across Tenant, cloud to on-prem,  on-prem to cloud) 
  • Persistence techniques 

Module 4 

  • Data Mining 
  • Defenses, Monitoring and Auditing (CAP, PIM, Security Center, JIT, Risk policies, Azure  Defender, Azure Sentinel) 
  • Bypassing Defenses 

Target audience

Red teamers and penetration testers who want to improve on their Azure AD attack skills  should take this class. Blue teamers, Azure AD administrators and security professionals who  want to understand the approach and techniques of adversaries should take this class.


  • Basic understanding of Azure AD is desired but not mandatory.

System Requirements

  • System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.
  • Privileges to disable/change any antivirus or firewall.

Trainer Biography

Nikhil Mittal s a hacker, infosec researcher, speaker and enthusiast. His area of interest  includes red teaming, active directory security, attack research, defense strategies and post exploitation research. He has 12+ years of experience in red teaming. 

He specializes in assessing security risks at secure environments that require novel attack  vectors and “out of the box” approach. He has worked extensively on Active Directory, Azure  AD attacks, defense and bypassing detection mechanisms and Offensive PowerShell for red  teaming. He is creator of multiple tools like Nishang, a post exploitation framework in  PowerShell, Deploy-Deception a framework for deploying Active Directory deception and RACE  toolkit for attacking Windows ACLs. In his spare time, Nikhil researches on new attack  methodologies and updates his tools and frameworks. 

Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE  Asia), and at the world’s top information security conferences. 

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.