What You Will Learn:
This advanced bootcamp is designed to help security professionals in understand, analyze and practice attacks in an enterprise-like live Azure environment that has effective security controls in place.
You will be able to practice and sharpen popular tactics, techniques and procedures (TTPs) for Azure environments. In addition, you will learn how to bypass security controls like Advanced Conditional Access Policies, Multiple ways to bypass MFA that is enforced using different methods, Privileged Identity Management (PIM) and Microsoft Defender for Cloud.
The class also focuses on abuse of JWT signing, Family of Client IDs (FOCI), Attribute Based Access Control (ABAC), Temporary Access Password (TAP), Custom Claims, Cross Tenant Access, Azure Lighthouse, Azure ARC, Multi-Cloud
Access, Tokens form Office Applications and traffic and Abuse of Kerberos in Entra ID.
Prerequisites
1. Basic understanding of Azure AD is desired but not mandatory.
2. System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.
3. Privileges to disable/change any antivirus or firewall.
Bootcamp Syllabus
The course is split in four modules across four weeks:
Module I:
– Introduction to the Attack Methodology
– Understanding APIs, Endpoints and Versions
– Understanding OAuth, Microsoft Identity Platform and Authorization Flows
– Deep dive into Tokens and Claims
Module II:
– Initial Access Attacks – Device Code Phishing, Illicit Consent Grant, Attacker In The Middle, Abusing JWT Signing, Abusing Custom Claims, Abusing GitHub Actions and Workflow Discovery and Recon
– Enumeration of Azure AD (Entra ID) and Azure
– Abusing MS Graph API
Module III:
– Privilege Escalation by abusing Family of Client IDs, Certificate Based Authentication, Attribute Based Access Control, Privileged Identity Management, Tampering with Logic Apps, Authentication Cookies, Traffic Interception and more
– Lateral Movement by abusing Azure Lighthouse, Cross Tenant Access Settings, Kerberos in Entra ID, Trust between tenants, Multi-Cloud Management, Azure ARC, Token Extraction, Authentication Cookie Forging and Replay etc.
– Persistence techniques
Module IV:
– Bypassing Defences – Advanced Conditional Access Policies, Multiple ways to bypass MFA that is enforced using different methods, Privileged Identity Management (PIM) and Microsoft Defender for Cloud.
– Detecting and Stopping the attacks used in the class using Log Analysis and MS tools like Identity Protection, MFA, Conditional Access and Defender for Cloud.
