top of page
BruCON-2022-102 (1).png

Cloud Red Team Tactics for Attacking and Defending Azure

3-day in-person

More than 95 percent of Fortune 500 use Azure today! A huge number of organizations now use Entra ID as an Identity and Access Management platform using the hybrid cloud model. This makes it imperative to understand the risks associated with Azure as not only the Windows infrastructure and apps use it but also identities across an enterprise are authenticated using it.


In addition to cloud-only identity, the ability to connect on-prem Active Directory, applications and infrastructure to Azure brings some very interesting opportunities and risks too. Often complex to understand, this setup of components, infrastructure and identity is a security challenge.


This hands-on training aims towards abusing Azure and several services offered by it. We will cover multiple complex attack lifecycles against a lab containing multiple live Azure tenants.


All the phases of Azure red teaming and pentesting – Recon, Initial access, Enumeration, Privilege Escalation, Lateral Movement, Persistence and Data mining are covered. We will also discuss detecting and monitoring for the techniques we use.


The course is a mixture of fun, demos, exercises, hands-on and lecture. The training focuses more on methodology and techniques than tools.


If you are a security professional trying to improve your skills in Azure cloud security, Azure Pentesting or Red teaming the Azure cloud this is the right class for you!

Following topics are covered:

  • Introduction to Azure and Entra ID

  • Discovery and Recon of services and applications

  • Enumeration

  • Initial Access Attacks (Enterprise Apps, App Services, Function Apps, Insecure Storage, Phishing, Consent Grant Attacks, Device Code Auth Flow, Prompt Injection, Abuse of Copilot)

  • Enumeration post authentication (Storage Accounts, Key vaults, Blobs, Automation Accounts, Deployment Templates etc.)

  • Privilege Escalation (RBAC roles, Entra ID Roles, Across subscriptions)

  • Lateral Movement (Pass-the-PRT, Pass-the-Certificate, Across Tenant, cloud to on-prem, on-prem to cloud, Intune Abuse)

  • Lateral Movement (Across Tenant, cloud to on-prem, on-prem to cloud)

  • Persistence techniques

  • Data Mining

  • Bypassing Defenses (MFA, Conditional Access, Defender for Cloud)

  • Defenses, Monitoring and Auditing (CAP, PIM, Microsoft Defender for Cloud, JIT, Risk policies, MFA, MTPs, Azure Sentinel)

Course Overview


Day 1

  • Introduction to Azure and Entra ID

  • Discovery and Recon of services and applications

  • Enumeration

  • Initial Access Attacks (Enterprise Apps, App Services, Function Apps, Insecure Storage, Phishing, Consent Grant Attacks, Device Code Auth Flow, Prompt Injection, Abuse of Copilot)


Day 2

  • Enumeration post authentication (Storage Accounts, Key vaults, Blobs, Automation Accounts, Deployment Templates etc.)

  • Privilege Escalation (RBAC roles, Entra ID Roles, Across subscriptions)

  • Lateral Movement (Pass-the-PRT, Pass-the-Certificate, Across Tenant, cloud to on-prem, on-prem to cloud, Intune Abuse)


Day 3

  • Lateral Movement (Across Tenant, cloud to on-prem, on-prem to cloud)

  • Persistence techniques (Hybrid Identity, Golden SAML, Service Principals, Dynamic Groups)

  • Data Mining

  • Bypassing Defenses (MFA, Conditional Access, Defender for Cloud)

  • Defenses, Monitoring and Auditing (CAP, PIM, Microsoft Defender for Cloud, JIT, Risk policies, MFA, MTPs, Azure Sentinel)


What students will be provided with

  • Attendees will get free two months access to a lab configured like an Enterprise network, during and after the training.

  • An attempt to completely hands-on Certified by Altered Security Red Team Professional for Azure (CARTP) certification exam.

  • In addition to that, lifetime access to learning aid like course slides, lab manual, walk-through videos and lab support till the lab access is active.


Target Audience


  • Red Team

  • Penetration Testers

  • Cloud Administrators

  • Cloud Architects

  • Malware analysts

Pre-requisites


  • System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.

  • Privileges to disable/change any antivirus or firewall.

Trainer Bio


Nikhil Mittal is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/


Nikhil’s areas of interest include red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming. He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.


LinkedIn: https://www.linkedin.com/in/mittalnikhil/

Twitter (X): @nikhil_mitt

Blog: alteredsecurity.com/blogs



bottom of page