Scroll Top

Advanced Incident Response in the Microsoft Cloud

Course Description

In this three-days hands-on training, you’ll learn everything you need to know about forensics and incident response in the Microsoft cloud. This training covers both Microsoft 365 and Microsoft Azure, you’ll get hands-on experience with investigating attacks, acquisition of forensic artefacts from the cloud and digging through the relevant artefacts.

Everything you learn is related to real life threats observed against the Microsoft cloud. The trainer has real life experience with incident response and forensic investigations in the cloud, knowledge will be shared that’s not available on any public resource. Once you’ve completed this training you will feel comfortable investigating any threat in the Microsoft cloud. The training is very hands-on and concluded with two full attack scenarios in both Azure & M365 and you’re tasked in the CTF to solve as many pieces of the puzzle as you can.

Upon course completion you will receive a certificate of completion. Important, you only must bring your laptop and a browser we will provide you with access to the cloud tenants and investigation data.

Course contents

Overview – Day 1 Microsoft Azure

On day 1 an overview of services in the Azure cloud relevant to IR is provided. Followed by a deep dive into how Azure clouds are often configured in client environments. We will then look at all the different log sources available in Azure that can be used for IR and how we can export out these logs. You will learn how to find real life attacks in the various Microsoft Azure log sources.

Sections & Exercises – Day 1 Microsoft Azure

Exercises – Day 1

  • Lab 0: Setup
  • Lab 1: Explore Azure & Azure AD Logging
  • Lab 2: KQL Querying
  • Lab 3: Investigating, Recon & Initial access attacks
  • Lab 4: Investigating, Execution, Persistence & Privilege Escalation attacks
  • Lab 5: Investigating, Credential Access & Exfiltration attacks

Sections – Day 1

  • Azure IR introduction
  • Azure Active Directory
  • Azure Audit & Logging
  • KQL for Incident Response
  • Azure Attacks (Recon & Initial Access)
  • Azure Attacks (Execution, Persistence & Privilege Escalation)
  • Azure Attacks (Credential Access, Exfiltration)
  • Responding to Azure Attacks
Overview – Day 2 Microsoft Azure & Microsoft 365

On day 2 we will finish the Azure section of the training and learn you how to respond to the different attacks you’ve seen and learned about. Additionally, you’ll perform data acquisition of a live environment for IR purposes. After that we will switch gears and continue our exploration of incident response in Microsoft with the popular M365 service. As a start we will look at the various services and logs available for analysis. Followed by a deep dive into the most important piece of evidence the Unified Audit Log (UAL). We will discuss several common attacks and how you can investigate them yourself. During the day you’ll get hands- on experience with acquisition, processing, and analysis of the Unified Audit Log (UAL) with a variety of tools. Finally we will spend some time on recommendations for your client or your organization to prevent incidents in an M365 environment.

Exercises – Day 2

  • Lab 1: Exploration of the UAL
  • Lab 2: Compromise of an email account
  • Lab 3: The Extractor Suite

Sections – Day 2

  • Microsoft 365 IR introduction
  • Unified Audit Log (UAL)
  • Other Microsoft 365 forensic artefacts
  • Microsoft 365 Attack techniques
  • Microsoft 365 IR Tools and Techniques
Overview – Day 3 Microsoft 365 & CTF challenge

On day 3 we will cover the latest editions to the Microsoft 365 course as Anti-Forensics in M365 and the brand-new Microsoft Graph Activity Logs. You’ll also investigate Entra ID application abuse in a live lab environment. The afternoon part of the day will be reserved for the CTF challenge. The CTF challenge will give you access to live environments and data from Azure and M365 environments and you’ll have the chance to investigate two distinct cloud compromises.

Exercises – Day 3

  • Investigating Microsoft Graph Activity
  • Azure CTF
  • Microsoft CTF

Sections – Day 3

  • Microsoft 365 Anti-Forensics
  • Microsoft Graph Activity Log forensics
  • Best practices for remediation and recovery in Microsoft 365
  • Wrap-up & Evaluation

target audiance

  • Incident responders
  • Blue team
  • Detection engineers
  • Security analysts
  • Threat hunters

Trainer Biography

Korstiaan Stam is an Incident Response specialist with approximately ten years working experience in digital forensics and incident response. Way before the cloud was cool, he was already researching it from a forensics perspective, which led him to become a SANS Instructor for FOR509: Enterprise Cloud Forensics and Incident Response. Korstiaan is now the founder and owner of Invictus Incident Response specializing in cloud incident response and offering cloud incident response trainings.

Beginning with assembling personal computers at a small computer shop, Korstiaan quickly developed an interest in IT—specifically in investigating digital traces. “Once I heard about a professional program to develop these skills, I jumped on that opportunity and never looked back,” he says. He currently holds a master’s degree in Digital Investigation and Forensic Computing and a bachelor’s degree in IT Forensics.

Twitter : @InvictusIR

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.