Microsoft 365 Incident Response training

€849

Microsoft 365 Incident Response training

Closed
Course
74 Lessons

In this course, we will focus on Microsoft 365 Incident Response (IR) and cover several key topics. The day begins with an introduction to Microsoft 365 IR, highlighting its importance in responding to security incidents within the Microsoft 365 environment.

Buy now

Course Resources

KQL CheatSheet.pdf

Introduction

Welcome

Lab 0 - Setup

Lab 0 - Don't skip!

Demo: Change your CTF name

Microsoft 365 IR introduction

Course introduction

Microsoft 365 - Forensic artefacts

Preview

Entra ID

Entra ID, Users, Service Principals & Managed Identities (New)

Entra ID - Tokens 101 (New)

Entra ID - Roles (New)

Entra ID - Hybrid Setup (New)

Entra ID - Security (Conditional Access & Identity Protection) (New)

KQL for Incident Response

KQL Introduction

Demo: KQL querying

Need to know KQL commands

Advanced KQL

Links and Resources

Unified Audit Log (UAL)

Unified Audit Log: Introduction & Advanced Auditing (New)

Unified Audit Log: Structure (New)

Unified Audit Log: Access & Acquisition (New)

Demo: Setting up an account for UAL access & acquisition

Demo: Searching the UAL in Purview

Links and Resources

MailItemsAccessed

Everything you need to know about the MailItemsAccessed Operation

Demo: Investigate emails accessed using PowerShell and the Microsoft Graph

Lab 2.1 - Exploration of the UAL

Lab 2.1 - Instructions

Lab 2.1 - Walkthrough (with solutions)

Microsoft 365 Email Forwarding Rules

Forwarding rules: Introduction and Overview

Preview

Forensic analysis of inbox rules

Forensic analysis of transport rules

Forensic analysis of active forwarding rules

Mailbox Audit Log

Forensic analysis of the Mailbox audit log

Demo: Forensic analysis of email deletions in the audit log

Demo: Recovering deleted emails

Message Trace Log

Forensic analysis of the Message Trace Log (MTL)

Microsoft 365 Attack Techniques - Part I

Microsoft 365 Attacks Overview

Initial Access: Valid accounts, Password Attacks & Malicious apps

Initial Access: Phishing

Initial Access: MiTM & AiTM attacks

Initial access: Device Code phishing

Initial access: Microsoft Teams phishing

Links and Resources

Microsoft 365 Attack Techniques - Part II

Execution: API calls & PowerShell

Persistence & Privilege Escalation: Account manipulation

Persistence & Privilege Escalation: Account Creation & MFA registration

Microsoft 365 Attack Techniques - Part III

Collection & Exfiltration: eDiscovery & Content search

Collection & Exfiltration: Power Automate abuse

Microsoft 365 Attack tools

Microsoft 365 Attack tools - GraphRunner

Links and Resources

Lab 2.2 - Compromise of an email account

Lab 2.2 - Instructions

Lab 2.2 - Walkthrough (with solutions)

Microsoft 365 Anti-Forensics

Microsoft 365 Anti-Forensic techniques

Microsoft 365 Incident Response walkthrough

Incident Response - Walkthrough

Access Token abuse (New)

Access Token abuse & Family Of Client IDs (FOCI)

Lab 2.5 - Extracting & Manipulating tokens (Live Lab)

Lab 2.5 - Instructions

Lab 2.5 - Walkthrough (with solutions)

Microsoft 365 IR Tools & Techniques

Microsoft 365 IR tools - Overview

Microsoft-Extractor-Suite

Hawk

Untitled Goose Tool

Microsoft Defender for Cloud Apps

Demo: Installing and using the Microsoft Extractor Suite

Preview

Links and Resources

Lab 2.3 - The Extractor Suite

Lab 2.3 - Instructions

Lab 2.3 - Walkthrough (with solutions)

Lab 2.4 - Investigating OAuth apps

Lab 2.4 - Instructions

Lab 2.4 - Walkthrough (with solutions)

Best practices for remediation and recovery in Microsoft 365

Remediation & Recovery - Overview

Remediation & Recovery - Walkthrough

Links and Resources

Microsoft 365 CTF

CTF Instruction

Closing

Closing words

Request certificate

Resources

Setup user for Azure & M365 IR.pdf