Login
Invictus Incident Response training/Microsoft Azure Incident Response training
Enrollment is closed

  • €849

Microsoft Azure Incident Response training

  • Closed
  • Course
  • 76 Lessons

 
This course covers a comprehensive range of Azure Incident Response (IR) and security topics. You will be introduced to Azure IR and its significance in safeguarding cloud environments. Azure Active Directory (Azure AD) will be explored, focusing on its role in maintaining secure access to Azure resources. Azure audit and logging will also be discussed, highlighting their importance in monitoring and tracking activities. 
Buy now

Contents

Course Resources

KQL CheatSheet.pdf

Welcome

Welcome

Lab 0 - Setup

Lab 0 - Don't skip!
Demo: Change your CTF name

Introduction

Course introduction
Preview

Azure IR introduction

Azure Terminology (New)
Preview
Azure Hierarchy (New)
Azure Compute, Network and Storage components for IR
Azure Security components for IR
Demo: Exploring the Azure portal

Entra ID

Entra ID, Users, Service Principals & Managed Identities (New)
Entra ID - Tokens 101 (New)
Entra ID - Roles (New)
Entra ID - Security (Conditional Access & Identity Protection) (New)
Entra ID - Hybrid Setup (New)

Lab 1.1 - Exploring Azure

Lab 1.1 - Instructions
Lab 1.1 - Walkthrough (with solutions)

Azure Audit & Logging

Azure Audit & Logging
Links and Resources

KQL for Incident Response

KQL Introduction (New)
Demo: KQL querying
Need to know KQL commands (New)
KQL for Incident Response & Resources (New)
Advanced KQL
Links and Resources

Lab 1.2 - KQL Querying

Lab 1.2 - Instructions
Lab 1.2 - Walkthrough (with solutions)
Preview

Graph API for Incident Response

Introduction & Graph Explorer
Graph Application setup with a certificate
Graph API calls for IR
Demo: Configuring and Connecting a Graph app
Links and Resources

Microsoft Graph Activity Logs (New)

Microsoft Graph Activity Logs (New)

Azure Attack Techniques - Part I

Azure Attack Overview (New)
Reconnaissance: Internal and External (New)
Initial Access: Valid accounts, Password Attacks & Malicious apps
Initial Access: Phishing
Initial Access: MiTM & AiTM attacks
Links and Resources

Lab 1.3 - Recon & Initial Access

Lab 1.3 - Instructions
Lab 1.3 - Walkthrough (with solutions)

Azure Attack Techniques - Part II

Execution: Introduction & Azure RunCommand
Execution: Serial Console (New)
Execution: Virtual Machine Scripting & Automation accounts
Execution: Function app (New)
Execution: Intune & Cloud Shell (New)
Demo: Automation account & Azure Function investigation
Privilege Escalation: PIM & Elevated Access Toggle
Privilege Escalation: Azure AD applications
Persistence: Account Creation & Network Security Group Modification
Persistence: Azure Lighthouse & Delegated Administrators
Persistence: Cross-Tenant Synchronization & Subscription Transfers
Persistence: Federated options
Links and Resources

Lab 1.4 - Execution, Persistence & Privilege Escalation

Lab 1.4 - Instructions
Lab 1.4 - Walkthrough (with solutions)

Azure Attack Techniques - Part III

Credential Access: Tokens & Application secrets
Credential Access: KeyVault dumping
Demo: Keyvault Dumping Investigation
Exfiltration
Impact: Resource Deletion & Cryptomining (New)
Azure Attack tools
Links and Resources

Lab 1.5 - Credential Access, Exfiltration

Lab 1.5 - Instructions
Lab 1.5 - Walkthrough (with solutions)

Responding to Azure attacks

Introduction & NIST model
Cloud Incident Response: Preparation
Cloud Incident Response: Investigate & Contain
Cloud Incident Response: Remediate & Recover
Token & Session Revocation
Azure Incident Response tools
Links and Resources

Azure CTF

CTF Instruction

Closing

Closing words
Request certificate

Resources

Setup user for Azure & M365 IR.pdf