Login
Invictus Incident Response training/Incident Response in the Microsoft Cloud training
Buy now

  • €1,650

Incident Response in the Microsoft Cloud training

  • Course
  • 137 Lessons

Want to kickstart your cloud incident response skills? Learn how to respond to incidents in the Microsoft Cloud? This course covers Microsoft 365 and Azure incident response. Not just theory videos, hands-on cloud labs, demo's and we will tell you all our tricks to make you a (better) cloud incident responder.
Buy now

Contents

Course Resources

Find all the relevant resources for this course

Course References
KQL CheatSheet
Setup user for Azure & M365 IR.pdf

Welcome

Welcome

Lab 0 - Setup

Lab 0 - Don't skip!
Demo: Change your CTF name

Introduction - Azure Section

Course introduction
Preview

Azure IR introduction

Azure Terminology (New)
Azure Hierarchy (New)
Azure Compute, Network and Storage components for IR
Azure Security components for IR
Demo: Exploring the Azure portal

Entra ID

Entra ID - Users, Service Principals & Managed Identities (New)
Entra ID - Tokens 101 (New)
Entra ID - Roles (New)
Entra ID - Hybrid Setup (New)
Entra ID - Security (Conditional Access & Identity Protection) (New)

Lab 1.1 - Exploring Azure

Lab 1.1 - Instructions
Lab 1.1 - Walkthrough (with solutions)

Entra ID & Azure Logging

Entra ID & Azure - Logging overview
Tenant Audit logging
Subscription, Resource Logging & Log exporting
Links and Resources

KQL for Incident Response

KQL Introduction (New)
Demo: KQL querying
Need to know KQL commands (New)
KQL for Incident Response & Resources (New)
Advanced KQL
Links and Resources

Lab 1.2 - KQL Querying

Lab 1.2 - Instructions
Lab 1.2 - Walkthrough (with solutions)

Graph API for Incident Response

Introduction & Graph Explorer
Graph Application setup with a certificate
Graph API calls for IR
Demo: Configuring and Connecting a Graph app
Links and Resources

Microsoft Graph Activity Logs (New)

Microsoft Graph Activity Logs (New)
Preview

Azure Attack Techniques - Part I

Azure Attack Overview (New)
Preview
Reconnaissance: Internal and External (New)
Initial Access: Valid accounts, Password Attacks & Malicious apps
Links and Resources

Lab 1.3 - Recon & Initial Access

Lab 1.3 - Instructions
Lab 1.3 - Walkthrough (with solutions)

Azure Attack Techniques - Part II

Execution Introduction & Azure RunCommand
Execution: Serial Console (New)
Execution: Virtual Machine Scripting & Automation accounts
Execution: Function app (New)
Execution: Intune & Cloud Shell (New)
Demo: Automation account & Azure Function investigation
Privilege Escalation: PIM & Elevated Access Toggle
Privilege Escalation: Entra ID applications
Persistence: Account Creation & Network Security Group Modification
Persistence: Azure Lighthouse & Delegated Administrators
Persistence: Cross-Tenant Synchronization & Subscription Transfers
Persistence: Federated options
Links and Resources

Lab 1.4 - Execution, Persistence & Privilege Escalation

Lab 1.4 - Instructions
Lab 1.4 - Walkthrough (with solutions)

Azure Attack Techniques - Part III

Credential Access: Tokens & Application secrets
Credential Access: KeyVault dumping
Demo: Keyvault Dumping Investigation
Exfiltration
Impact: Resource Deletion & Cryptomining (New)
Azure Attack tools
Links and Resources

Lab 1.5 - Credential Access, Exfiltration

Lab 1.5 - Instructions
Lab 1.5 - Walkthrough (with solutions)

Responding to Azure attacks

Introduction & NIST model
Cloud Incident Response: Preparation
Cloud Incident Response: Investigate & Contain
Cloud Incident Response: Remediate & Recover
Token & Session Revocation
Azure Incident Response tools
Links and Resources

Azure Debrief

Azure IR debrief

Azure CTF

CTF Instruction

Introduction - Microsoft 365 Section

Welcome

Microsoft 365 IR introduction

Microsoft 365 - Forensic artefacts
Microsoft 365 - Course introduction

Unified Audit Log (UAL)

Unified Audit Log: Introduction & Advanced Auditing (New)
Preview
Unified Audit Log: Structure (New)
Unified Audit Log: Access & Acquisition (New)
Demo: Setting up an account for UAL access & acquisition
Preview
Demo: Searching the UAL in Purview
Links and Resources

MailItemsAccessed

Everything you need to know about the MailItemsAccessed Operation
Demo: Investigate emails accessed using PowerShell and the Microsoft Graph

Lab 2.1 - Exploration of the UAL

Lab 2.1 - Instructions
Lab 2.1 - Walkthrough (with solutions)

Microsoft 365 Email Forwarding Rules

Forwarding rules: Introduction and Overview
Forensic analysis of inbox rules
Forensic analysis of transport rules
Forensic analysis of active forwarding rules

Mailbox Audit Log

Forensic analysis of the Mailbox audit log
Demo: Forensic analysis of deleted emails
Demo: Recovering deleted emails

Message Trace Log

Forensic analysis of the Message Trace Log (MTL)

Microsoft 365 Attack Techniques - Part I

Microsoft 365 Attacks Overview
Initial Access: Phishing
Initial access: Device Code phishing
Initial access: Microsoft Teams phishing
Initial Access: MiTM & AiTM attacks
Links and Resources

Microsoft 365 Attack Techniques - Part II

Execution: API calls & PowerShell
Persistence & Privilege Escalation: Account manipulation
Persistence & Privilege Escalation: Account Creation & MFA registration

Microsoft 365 Attack Techniques - Part III

Collection & Exfiltration: eDiscovery & Content search
Collection & Exfiltration: Power Automate abuse
Links and Resources

Lab 2.2 - Compromise of an email account

Lab 2.2 - Instructions
Lab 2.2 - Walkthrough (with solutions)

Microsoft 365 Attack Tools (New)

Microsoft 365 Attack tools
Microsoft 365 Attack tools - GraphRunner

Access Token abuse (New)

Access Token abuse & Family Of Client IDs (FOCI)

Lab 2.5 - Extracting & Manipulating tokens (Live Lab)

Lab 2.5 - Instructions
Lab 2.5 - Walkthrough (with solutions)

Microsoft 365 Anti-Forensics

Microsoft 365 Anti-Forensic techniques

Microsoft 365 IR Tools & Techniques

Microsoft 365 IR tools - Overview
Microsoft Extractor Suite
Hawk
Untitled Goose Tool
Microsoft Defender for Cloud Apps
Demo: Installing and using the Microsoft Extractor Suite
Links and Resources

Lab 2.3 - The Extractor Suite

Lab 2.3 - Instructions
Lab 2.3 - Walkthrough (with solutions)

Microsoft 365 Incident Response walkthrough

Incident Response - Walkthrough

Best practices for remediation and recovery in Microsoft 365

Remediation & Recovery - Overview
Remediation & Recovery - Walkthrough
Links and Resources

Lab 2.4 - Investigating OAuth apps

Lab 2.4 - Instructions
Lab 2.4 - Walkthrough (with solutions)

Microsoft 365 CTF

CTF Instruction

Closing

Closing words
Request certificate

Lab 2.6 - Investigation of a malicious Function (Live Lab)

Lab 2.6 - Walkthrough (with solutions)

Lab 2.7 - Investigation of a suspicious automation account (Live Lab)

Lab 2.7 - Walkthrough (with solutions)