Preview unavailable

Course Resources

• KQL CheatSheet.pdf

Welcome

• Welcome

Lab 0 - Setup

• Lab 0 - Don't skip!

• Demo: Change your CTF name

Introduction

• Course introduction

Azure IR introduction

• Azure Terminology (New)

• Azure Hierarchy (New)

• Azure Compute, Network and Storage components for IR

• Azure Security components for IR

• Demo: Exploring the Azure portal

Entra ID

• Entra ID, Users, Service Principals & Managed Identities (New)

• Entra ID - Tokens 101 (New)

• Entra ID - Roles (New)

• Entra ID - Security (Conditional Access & Identity Protection) (New)

• Entra ID - Hybrid Setup (New)

Lab 1.1 - Exploring Azure

• Lab 1.1 - Instructions

• Lab 1.1 - Walkthrough (with solutions)

Azure Audit & Logging

• Azure Audit & Logging

• Links and Resources

KQL for Incident Response

• KQL Introduction (New)

• Demo: KQL querying

• Need to know KQL commands (New)

• KQL for Incident Response & Resources (New)

• Advanced KQL

• Links and Resources

Lab 1.2 - KQL Querying

• Lab 1.2 - Instructions

• Lab 1.2 - Walkthrough (with solutions)

Graph API for Incident Response

• Introduction & Graph Explorer

• Graph Application setup with a certificate

• Graph API calls for IR

• Demo: Configuring and Connecting a Graph app

• Links and Resources

Microsoft Graph Activity Logs (New)

• Microsoft Graph Activity Logs (New)

Azure Attack Techniques - Part I

• Azure Attack Overview (New)

• Reconnaissance: Internal and External (New)

• Initial Access: Valid accounts, Password Attacks & Malicious apps

• Initial Access: Phishing

• Initial Access: MiTM & AiTM attacks

• Links and Resources

Lab 1.3 - Recon & Initial Access

• Lab 1.3 - Instructions

• Lab 1.3 - Walkthrough (with solutions)

Azure Attack Techniques - Part II

• Execution: Introduction & Azure RunCommand

• Execution: Serial Console (New)

• Execution: Virtual Machine Scripting & Automation accounts

• Execution: Function app (New)

• Execution: Intune & Cloud Shell (New)

• Demo: Automation account & Azure Function investigation

• Privilege Escalation: PIM & Elevated Access Toggle

• Privilege Escalation: Azure AD applications

• Persistence: Account Creation & Network Security Group Modification

• Persistence: Azure Lighthouse & Delegated Administrators

• Persistence: Cross-Tenant Synchronization & Subscription Transfers

• Persistence: Federated options

• Links and Resources

Lab 1.4 - Execution, Persistence & Privilege Escalation

• Lab 1.4 - Instructions

• Lab 1.4 - Walkthrough (with solutions)

Azure Attack Techniques - Part III

• Credential Access: Tokens & Application secrets

• Credential Access: KeyVault dumping

• Demo: Keyvault Dumping Investigation

• Exfiltration

• Impact: Resource Deletion & Cryptomining (New)

• Azure Attack tools

• Links and Resources

Lab 1.5 - Credential Access, Exfiltration

• Lab 1.5 - Instructions

• Lab 1.5 - Walkthrough (with solutions)

Responding to Azure attacks

• Introduction & NIST model

• Cloud Incident Response: Preparation

• Cloud Incident Response: Investigate & Contain

• Cloud Incident Response: Remediate & Recover

• Token & Session Revocation

• Azure Incident Response tools

• Links and Resources

Azure CTF

• CTF Instruction

Closing

• Closing words

• Request certificate

Resources

• Setup user for Azure & M365 IR.pdf