Hawk
Hawk
Incident Response in the Microsoft Cloud training
Buy now
Learn more
Course Resources
Course References
KQL CheatSheet
Setup user for Azure & M365 IR.pdf
Welcome
Welcome
Lab 0 - Setup
Lab 0 - Don't skip!
Demo: Change your CTF name
Introduction - Azure Section
Course introduction
Azure IR introduction
Azure Terminology (New)
Azure Hierarchy (New)
Azure Compute, Network and Storage components for IR
Azure Security components for IR
Demo: Exploring the Azure portal
Entra ID
Entra ID - Users, Service Principals & Managed Identities (New)
Entra ID - Tokens 101 (New)
Entra ID - Roles (New)
Entra ID - Hybrid Setup (New)
Entra ID - Security (Conditional Access & Identity Protection) (New)
Lab 1.1 - Exploring Azure
Lab 1.1 - Instructions
Lab 1.1 - Walkthrough (with solutions)
Entra ID & Azure Logging
Entra ID & Azure - Logging overview
Tenant Audit logging
Subscription, Resource Logging & Log exporting
Links and Resources
KQL for Incident Response
KQL Introduction (New)
Demo: KQL querying
Need to know KQL commands (New)
KQL for Incident Response & Resources (New)
Advanced KQL
Links and Resources
Lab 1.2 - KQL Querying
Lab 1.2 - Instructions
Lab 1.2 - Walkthrough (with solutions)
Graph API for Incident Response
Introduction & Graph Explorer
Graph Application setup with a certificate
Graph API calls for IR
Demo: Configuring and Connecting a Graph app
Links and Resources
Microsoft Graph Activity Logs (New)
Microsoft Graph Activity Logs (New)
Azure Attack Techniques - Part I
Azure Attack Overview (New)
Reconnaissance: Internal and External (New)
Initial Access: Valid accounts, Password Attacks & Malicious apps
Links and Resources
Lab 1.3 - Recon & Initial Access
Lab 1.3 - Instructions
Lab 1.3 - Walkthrough (with solutions)
Azure Attack Techniques - Part II
Execution Introduction & Azure RunCommand
Execution: Serial Console (New)
Execution: Virtual Machine Scripting & Automation accounts
Execution: Function app (New)
Execution: Intune & Cloud Shell (New)
Demo: Automation account & Azure Function investigation
Privilege Escalation: PIM & Elevated Access Toggle
Privilege Escalation: Entra ID applications
Persistence: Account Creation & Network Security Group Modification
Persistence: Azure Lighthouse & Delegated Administrators
Persistence: Cross-Tenant Synchronization & Subscription Transfers
Persistence: Federated options
Links and Resources
Lab 1.4 - Execution, Persistence & Privilege Escalation
Lab 1.4 - Instructions
Lab 1.4 - Walkthrough (with solutions)
Azure Attack Techniques - Part III
Credential Access: Tokens & Application secrets
Credential Access: KeyVault dumping
Demo: Keyvault Dumping Investigation
Exfiltration
Impact: Resource Deletion & Cryptomining (New)
Azure Attack tools
Links and Resources
Lab 1.5 - Credential Access, Exfiltration
Lab 1.5 - Instructions
Lab 1.5 - Walkthrough (with solutions)
Responding to Azure attacks
Introduction & NIST model
Cloud Incident Response: Preparation
Cloud Incident Response: Investigate & Contain
Cloud Incident Response: Remediate & Recover
Token & Session Revocation
Azure Incident Response tools
Links and Resources
Azure Debrief
Azure IR debrief
Azure CTF
CTF Instruction
Introduction - Microsoft 365 Section
Welcome
Microsoft 365 IR introduction
Microsoft 365 - Forensic artefacts
Microsoft 365 - Course introduction
Unified Audit Log (UAL)
Unified Audit Log: Introduction & Advanced Auditing (New)
Unified Audit Log: Structure (New)
Unified Audit Log: Access & Acquisition (New)
Demo: Setting up an account for UAL access & acquisition
Demo: Searching the UAL in Purview
Links and Resources
MailItemsAccessed
Everything you need to know about the MailItemsAccessed Operation
Demo: Investigate emails accessed using PowerShell and the Microsoft Graph
Lab 2.1 - Exploration of the UAL
Lab 2.1 - Instructions
Lab 2.1 - Walkthrough (with solutions)
Microsoft 365 Email Forwarding Rules
Forwarding rules: Introduction and Overview
Forensic analysis of inbox rules
Forensic analysis of transport rules
Forensic analysis of active forwarding rules
Mailbox Audit Log
Forensic analysis of the Mailbox audit log
Demo: Forensic analysis of deleted emails
Demo: Recovering deleted emails
Message Trace Log
Forensic analysis of the Message Trace Log (MTL)
Microsoft 365 Attack Techniques - Part I
Microsoft 365 Attacks Overview
Initial Access: Phishing
Initial access: Device Code phishing
Initial access: Microsoft Teams phishing
Initial Access: MiTM & AiTM attacks
Links and Resources
Microsoft 365 Attack Techniques - Part II
Execution: API calls & PowerShell
Persistence & Privilege Escalation: Account manipulation
Persistence & Privilege Escalation: Account Creation & MFA registration
Microsoft 365 Attack Techniques - Part III
Collection & Exfiltration: eDiscovery & Content search
Collection & Exfiltration: Power Automate abuse
Links and Resources
Lab 2.2 - Compromise of an email account
Lab 2.2 - Instructions
Lab 2.2 - Walkthrough (with solutions)
Microsoft 365 Attack Tools (New)
Microsoft 365 Attack tools
Microsoft 365 Attack tools - GraphRunner
Access Token abuse (New)
Access Token abuse & Family Of Client IDs (FOCI)
Lab 2.5 - Extracting & Manipulating tokens (Live Lab)
Lab 2.5 - Instructions
Lab 2.5 - Walkthrough (with solutions)
Microsoft 365 Anti-Forensics
Microsoft 365 Anti-Forensic techniques
Microsoft 365 IR Tools & Techniques
Microsoft 365 IR tools - Overview
Microsoft Extractor Suite
Hawk
Untitled Goose Tool
Microsoft Defender for Cloud Apps
Demo: Installing and using the Microsoft Extractor Suite
Links and Resources
Lab 2.3 - The Extractor Suite
Lab 2.3 - Instructions
Lab 2.3 - Walkthrough (with solutions)
Microsoft 365 Incident Response walkthrough
Incident Response - Walkthrough
Best practices for remediation and recovery in Microsoft 365
Remediation & Recovery - Overview
Remediation & Recovery - Walkthrough
Links and Resources
Lab 2.4 - Investigating OAuth apps
Lab 2.4 - Instructions
Lab 2.4 - Walkthrough (with solutions)
Microsoft 365 CTF
CTF Instruction
Closing
Closing words
Request certificate
Lab 2.6 - Investigation of a malicious Function (Live Lab)
Lab 2.6 - Walkthrough (with solutions)
Lab 2.7 - Investigation of a suspicious automation account (Live Lab)
Lab 2.7 - Walkthrough (with solutions)
Preview unavailable
You must log in or sign up to view this lesson.
Login
Sign up
Incident Response in the Microsoft Cloud training
Buy now
Learn more
Course Resources
Course References
KQL CheatSheet
Setup user for Azure & M365 IR.pdf
Welcome
Welcome
Lab 0 - Setup
Lab 0 - Don't skip!
Demo: Change your CTF name
Introduction - Azure Section
Course introduction
Azure IR introduction
Azure Terminology (New)
Azure Hierarchy (New)
Azure Compute, Network and Storage components for IR
Azure Security components for IR
Demo: Exploring the Azure portal
Entra ID
Entra ID - Users, Service Principals & Managed Identities (New)
Entra ID - Tokens 101 (New)
Entra ID - Roles (New)
Entra ID - Hybrid Setup (New)
Entra ID - Security (Conditional Access & Identity Protection) (New)
Lab 1.1 - Exploring Azure
Lab 1.1 - Instructions
Lab 1.1 - Walkthrough (with solutions)
Entra ID & Azure Logging
Entra ID & Azure - Logging overview
Tenant Audit logging
Subscription, Resource Logging & Log exporting
Links and Resources
KQL for Incident Response
KQL Introduction (New)
Demo: KQL querying
Need to know KQL commands (New)
KQL for Incident Response & Resources (New)
Advanced KQL
Links and Resources
Lab 1.2 - KQL Querying
Lab 1.2 - Instructions
Lab 1.2 - Walkthrough (with solutions)
Graph API for Incident Response
Introduction & Graph Explorer
Graph Application setup with a certificate
Graph API calls for IR
Demo: Configuring and Connecting a Graph app
Links and Resources
Microsoft Graph Activity Logs (New)
Microsoft Graph Activity Logs (New)
Azure Attack Techniques - Part I
Azure Attack Overview (New)
Reconnaissance: Internal and External (New)
Initial Access: Valid accounts, Password Attacks & Malicious apps
Links and Resources
Lab 1.3 - Recon & Initial Access
Lab 1.3 - Instructions
Lab 1.3 - Walkthrough (with solutions)
Azure Attack Techniques - Part II
Execution Introduction & Azure RunCommand
Execution: Serial Console (New)
Execution: Virtual Machine Scripting & Automation accounts
Execution: Function app (New)
Execution: Intune & Cloud Shell (New)
Demo: Automation account & Azure Function investigation
Privilege Escalation: PIM & Elevated Access Toggle
Privilege Escalation: Entra ID applications
Persistence: Account Creation & Network Security Group Modification
Persistence: Azure Lighthouse & Delegated Administrators
Persistence: Cross-Tenant Synchronization & Subscription Transfers
Persistence: Federated options
Links and Resources
Lab 1.4 - Execution, Persistence & Privilege Escalation
Lab 1.4 - Instructions
Lab 1.4 - Walkthrough (with solutions)
Azure Attack Techniques - Part III
Credential Access: Tokens & Application secrets
Credential Access: KeyVault dumping
Demo: Keyvault Dumping Investigation
Exfiltration
Impact: Resource Deletion & Cryptomining (New)
Azure Attack tools
Links and Resources
Lab 1.5 - Credential Access, Exfiltration
Lab 1.5 - Instructions
Lab 1.5 - Walkthrough (with solutions)
Responding to Azure attacks
Introduction & NIST model
Cloud Incident Response: Preparation
Cloud Incident Response: Investigate & Contain
Cloud Incident Response: Remediate & Recover
Token & Session Revocation
Azure Incident Response tools
Links and Resources
Azure Debrief
Azure IR debrief
Azure CTF
CTF Instruction
Introduction - Microsoft 365 Section
Welcome
Microsoft 365 IR introduction
Microsoft 365 - Forensic artefacts
Microsoft 365 - Course introduction
Unified Audit Log (UAL)
Unified Audit Log: Introduction & Advanced Auditing (New)
Unified Audit Log: Structure (New)
Unified Audit Log: Access & Acquisition (New)
Demo: Setting up an account for UAL access & acquisition
Demo: Searching the UAL in Purview
Links and Resources
MailItemsAccessed
Everything you need to know about the MailItemsAccessed Operation
Demo: Investigate emails accessed using PowerShell and the Microsoft Graph
Lab 2.1 - Exploration of the UAL
Lab 2.1 - Instructions
Lab 2.1 - Walkthrough (with solutions)
Microsoft 365 Email Forwarding Rules
Forwarding rules: Introduction and Overview
Forensic analysis of inbox rules
Forensic analysis of transport rules
Forensic analysis of active forwarding rules
Mailbox Audit Log
Forensic analysis of the Mailbox audit log
Demo: Forensic analysis of deleted emails
Demo: Recovering deleted emails
Message Trace Log
Forensic analysis of the Message Trace Log (MTL)
Microsoft 365 Attack Techniques - Part I
Microsoft 365 Attacks Overview
Initial Access: Phishing
Initial access: Device Code phishing
Initial access: Microsoft Teams phishing
Initial Access: MiTM & AiTM attacks
Links and Resources
Microsoft 365 Attack Techniques - Part II
Execution: API calls & PowerShell
Persistence & Privilege Escalation: Account manipulation
Persistence & Privilege Escalation: Account Creation & MFA registration
Microsoft 365 Attack Techniques - Part III
Collection & Exfiltration: eDiscovery & Content search
Collection & Exfiltration: Power Automate abuse
Links and Resources
Lab 2.2 - Compromise of an email account
Lab 2.2 - Instructions
Lab 2.2 - Walkthrough (with solutions)
Microsoft 365 Attack Tools (New)
Microsoft 365 Attack tools
Microsoft 365 Attack tools - GraphRunner
Access Token abuse (New)
Access Token abuse & Family Of Client IDs (FOCI)
Lab 2.5 - Extracting & Manipulating tokens (Live Lab)
Lab 2.5 - Instructions
Lab 2.5 - Walkthrough (with solutions)
Microsoft 365 Anti-Forensics
Microsoft 365 Anti-Forensic techniques
Microsoft 365 IR Tools & Techniques
Microsoft 365 IR tools - Overview
Microsoft Extractor Suite
Hawk
Untitled Goose Tool
Microsoft Defender for Cloud Apps
Demo: Installing and using the Microsoft Extractor Suite
Links and Resources
Lab 2.3 - The Extractor Suite
Lab 2.3 - Instructions
Lab 2.3 - Walkthrough (with solutions)
Microsoft 365 Incident Response walkthrough
Incident Response - Walkthrough
Best practices for remediation and recovery in Microsoft 365
Remediation & Recovery - Overview
Remediation & Recovery - Walkthrough
Links and Resources
Lab 2.4 - Investigating OAuth apps
Lab 2.4 - Instructions
Lab 2.4 - Walkthrough (with solutions)
Microsoft 365 CTF
CTF Instruction
Closing
Closing words
Request certificate
Lab 2.6 - Investigation of a malicious Function (Live Lab)
Lab 2.6 - Walkthrough (with solutions)
Lab 2.7 - Investigation of a suspicious automation account (Live Lab)
Lab 2.7 - Walkthrough (with solutions)