Incident Response in the Microsoft Cloud training
Buy now
Learn more
Welcome
Welcome
Lab 0 - Setup
Lab 0 - Don't skip!
Demo: Change your CTF name
Introduction - Azure Section
Course introduction
Azure IR introduction
Azure Terminology & Hierarchy
Azure Compute, Network and Storage components for IR
Azure Security components for IR
Demo: Exploring the Azure portal
Azure Active Directory
Azure AD, Users, Groups & Security Principals
Azure (AD) Roles
Azure AD Hybrid setup
Lab 1.1 - Exploring Azure
Lab 1.1 - Instructions
Lab 1.1 - Walkthrough (with solutions)
Azure Audit & Logging
Azure Audit & Logging
Microsoft Graph Activity Logs
Links and Resources
KQL for Incident Response
KQL Introduction
Demo: KQL querying
Need to know KQL commands
Advanced KQL
Links and Resources
Lab 1.2 - KQL Querying
Lab 1.2 - Instructions
Lab 1.2 - Walkthrough (with solutions)
Graph API for Incident Response
Introduction & Graph Explorer
Graph Application setup with a certificate
Graph API calls for IR
Demo: Configuring and Connecting a Graph app
Links and Resources
Azure Attack Techniques - Part I
Azure Attack Overview
Reconnaissance: Internal and External
Initial Access: Valid accounts, Password Attacks & Malicious apps
Links and Resources
Lab 1.3 - Recon & Initial Access
Lab 1.3 - Instructions
Lab 1.3 - Walkthrough (with solutions)
Azure Attack Techniques - Part II
Execution Introduction & Azure RunCommand
Execution: Virtual Machine Scripting & Automation accounts
Execution: Function app & Cloud Shell
Demo: Automation account & Azure Function investigation
Privilege Escalation: PIM & Elevated Access Toggle
Privilege Escalation: Azure AD applications
Persistence: Account Creation & Network Security Group Modification
Persistence: Azure Lighthouse & Delegated Administrators
Persistence: Cross-Tenant Synchronization & Subscription Transfers
Persistence: Federated options
Links and Resources
Lab 1.4 - Execution, Persistence & Privilege Escalation
Lab 1.4 - Instructions
Lab 1.4 - Walkthrough (with solutions)
Azure Attack Techniques - Part III
Credential Access: Tokens & Application secrets
Credential Access: KeyVault dumping
Demo: Keyvault Dumping Investigation
Exfiltration
Azure Attack tools
Links and Resources
Lab 1.5 - Credential Access, Exfiltration
Lab 1.5 - Instructions
Lab 1.5 - Walkthrough (with solutions)
Responding to Azure attacks
Introduction & NIST model
Cloud Incident Response: Preparation
Cloud Incident Response: Investigate & Contain
Cloud Incident Response: Remediate & Recover
Token & Session Revocation
Azure Incident Response tools
Links and Resources
Azure Debrief
Azure IR debrief
Azure CTF
CTF Instruction
Introduction - Microsoft 365 Section
Welcome
Microsoft 365 IR introduction
Microsoft 365 - Forensic artefacts
Microsoft 365 - Course introduction
Unified Audit Log (UAL)
Unified Audit Log: Introduction & Advanced Auditing
Unified Audit Log: Structure
Unified Audit Log: Access & Acquisition
Demo: Setting up an account for UAL access & acquisition
Demo: Searching the UAL in Purview
Links and Resources
MailItemsAccessed
Everything you need to know about the MailItemsAccessed Operation
Demo: Investigate emails accessed using PowerShell and the Microsoft Graph
Lab 2.1 - Exploration of the UAL
Lab 2.1 - Instructions
Lab 2.1 - Walkthrough (with solutions)
Microsoft 365 Email Forwarding Rules
Forwarding rules: Introduction and Overview
Forensic analysis of inbox rules
Forensic analysis of transport rules
Forensic analysis of active forwarding rules
Mailbox Audit Log
Forensic analysis of the Mailbox audit log
Demo: Forensic analysis of deleted emails
Demo: Recovering deleted emails
Message Trace Log
Forensic analysis of the Message Trace Log (MTL)
Microsoft 365 Attack Techniques - Part I
Microsoft 365 Attacks Overview
Initial Access: Phishing
Initial access: Device Code phishing
Initial access: Microsoft Teams phishing
Initial Access: MiTM & AiTM attacks
Links and Resources
Microsoft 365 Attack Techniques - Part II
Execution: API calls & PowerShell
Persistence & Privilege Escalation: Account manipulation
Persistence & Privilege Escalation: Account Creation & MFA registration
Microsoft 365 Attack Techniques - Part III
Collection & Exfiltration: eDiscovery & Content search
Collection & Exfiltration: Power Automate abuse
Microsoft 365 Attack tools
Microsoft 365 Attack tools - GraphRunner
Links and Resources
Lab 2.2 - Compromise of an email account
Lab 2.2 - Instructions
Lab 2.2 - Walkthrough (with solutions)
Microsoft 365 Incident Response walkthrough
Incident Response - Walkthrough
Lab 2.5 - Extracting & Manipulating tokens (Live Lab)
Lab 2.5 - Instructions
Lab 2.5 - Walkthrough (with solutions)
Microsoft 365 Anti-Forensics
Microsoft 365 Anti-Forensic techniques
Microsoft 365 IR Tools & Techniques
Microsoft 365 IR tools - Overview
Microsoft Extractor Suite
Hawk
Untitled Goose Tool
Microsoft Defender for Cloud Apps
Demo: Installing and using the Microsoft Extractor Suite
Links and Resources
Lab 2.3 - The Extractor Suite
Lab 2.3 - Instructions
Lab 2.3 - Walkthrough (with solutions)
Lab 2.4 - Investigating OAuth apps
Lab 2.4 - Instructions
Lab 2.4 - Walkthrough (with solutions)
Best practices for remediation and recovery in Microsoft 365
Remediation & Recovery - Overview
Remediation & Recovery - Walkthrough
Links and Resources
Microsoft 365 CTF
CTF Instruction
Closing
Closing words
Request certificate
Resources
Setup user for Azure & M365 IR.pdf
Products
Course
Section
KQL for Incident Response
KQL for Incident Response
Incident Response in the Microsoft Cloud training
Buy now
Learn more
Welcome
Welcome
Lab 0 - Setup
Lab 0 - Don't skip!
Demo: Change your CTF name
Introduction - Azure Section
Course introduction
Azure IR introduction
Azure Terminology & Hierarchy
Azure Compute, Network and Storage components for IR
Azure Security components for IR
Demo: Exploring the Azure portal
Azure Active Directory
Azure AD, Users, Groups & Security Principals
Azure (AD) Roles
Azure AD Hybrid setup
Lab 1.1 - Exploring Azure
Lab 1.1 - Instructions
Lab 1.1 - Walkthrough (with solutions)
Azure Audit & Logging
Azure Audit & Logging
Microsoft Graph Activity Logs
Links and Resources
KQL for Incident Response
KQL Introduction
Demo: KQL querying
Need to know KQL commands
Advanced KQL
Links and Resources
Lab 1.2 - KQL Querying
Lab 1.2 - Instructions
Lab 1.2 - Walkthrough (with solutions)
Graph API for Incident Response
Introduction & Graph Explorer
Graph Application setup with a certificate
Graph API calls for IR
Demo: Configuring and Connecting a Graph app
Links and Resources
Azure Attack Techniques - Part I
Azure Attack Overview
Reconnaissance: Internal and External
Initial Access: Valid accounts, Password Attacks & Malicious apps
Links and Resources
Lab 1.3 - Recon & Initial Access
Lab 1.3 - Instructions
Lab 1.3 - Walkthrough (with solutions)
Azure Attack Techniques - Part II
Execution Introduction & Azure RunCommand
Execution: Virtual Machine Scripting & Automation accounts
Execution: Function app & Cloud Shell
Demo: Automation account & Azure Function investigation
Privilege Escalation: PIM & Elevated Access Toggle
Privilege Escalation: Azure AD applications
Persistence: Account Creation & Network Security Group Modification
Persistence: Azure Lighthouse & Delegated Administrators
Persistence: Cross-Tenant Synchronization & Subscription Transfers
Persistence: Federated options
Links and Resources
Lab 1.4 - Execution, Persistence & Privilege Escalation
Lab 1.4 - Instructions
Lab 1.4 - Walkthrough (with solutions)
Azure Attack Techniques - Part III
Credential Access: Tokens & Application secrets
Credential Access: KeyVault dumping
Demo: Keyvault Dumping Investigation
Exfiltration
Azure Attack tools
Links and Resources
Lab 1.5 - Credential Access, Exfiltration
Lab 1.5 - Instructions
Lab 1.5 - Walkthrough (with solutions)
Responding to Azure attacks
Introduction & NIST model
Cloud Incident Response: Preparation
Cloud Incident Response: Investigate & Contain
Cloud Incident Response: Remediate & Recover
Token & Session Revocation
Azure Incident Response tools
Links and Resources
Azure Debrief
Azure IR debrief
Azure CTF
CTF Instruction
Introduction - Microsoft 365 Section
Welcome
Microsoft 365 IR introduction
Microsoft 365 - Forensic artefacts
Microsoft 365 - Course introduction
Unified Audit Log (UAL)
Unified Audit Log: Introduction & Advanced Auditing
Unified Audit Log: Structure
Unified Audit Log: Access & Acquisition
Demo: Setting up an account for UAL access & acquisition
Demo: Searching the UAL in Purview
Links and Resources
MailItemsAccessed
Everything you need to know about the MailItemsAccessed Operation
Demo: Investigate emails accessed using PowerShell and the Microsoft Graph
Lab 2.1 - Exploration of the UAL
Lab 2.1 - Instructions
Lab 2.1 - Walkthrough (with solutions)
Microsoft 365 Email Forwarding Rules
Forwarding rules: Introduction and Overview
Forensic analysis of inbox rules
Forensic analysis of transport rules
Forensic analysis of active forwarding rules
Mailbox Audit Log
Forensic analysis of the Mailbox audit log
Demo: Forensic analysis of deleted emails
Demo: Recovering deleted emails
Message Trace Log
Forensic analysis of the Message Trace Log (MTL)
Microsoft 365 Attack Techniques - Part I
Microsoft 365 Attacks Overview
Initial Access: Phishing
Initial access: Device Code phishing
Initial access: Microsoft Teams phishing
Initial Access: MiTM & AiTM attacks
Links and Resources
Microsoft 365 Attack Techniques - Part II
Execution: API calls & PowerShell
Persistence & Privilege Escalation: Account manipulation
Persistence & Privilege Escalation: Account Creation & MFA registration
Microsoft 365 Attack Techniques - Part III
Collection & Exfiltration: eDiscovery & Content search
Collection & Exfiltration: Power Automate abuse
Microsoft 365 Attack tools
Microsoft 365 Attack tools - GraphRunner
Links and Resources
Lab 2.2 - Compromise of an email account
Lab 2.2 - Instructions
Lab 2.2 - Walkthrough (with solutions)
Microsoft 365 Incident Response walkthrough
Incident Response - Walkthrough
Lab 2.5 - Extracting & Manipulating tokens (Live Lab)
Lab 2.5 - Instructions
Lab 2.5 - Walkthrough (with solutions)
Microsoft 365 Anti-Forensics
Microsoft 365 Anti-Forensic techniques
Microsoft 365 IR Tools & Techniques
Microsoft 365 IR tools - Overview
Microsoft Extractor Suite
Hawk
Untitled Goose Tool
Microsoft Defender for Cloud Apps
Demo: Installing and using the Microsoft Extractor Suite
Links and Resources
Lab 2.3 - The Extractor Suite
Lab 2.3 - Instructions
Lab 2.3 - Walkthrough (with solutions)
Lab 2.4 - Investigating OAuth apps
Lab 2.4 - Instructions
Lab 2.4 - Walkthrough (with solutions)
Best practices for remediation and recovery in Microsoft 365
Remediation & Recovery - Overview
Remediation & Recovery - Walkthrough
Links and Resources
Microsoft 365 CTF
CTF Instruction
Closing
Closing words
Request certificate
Resources
Setup user for Azure & M365 IR.pdf
5 Lessons
KQL Introduction
Demo: KQL querying
Need to know KQL commands
Advanced KQL
Links and Resources