September 9, 2024September 9, 2024 Microsoft Cloud Attack and Defense Bootcamp Table of Contents Overview I had a change to partipate new Microsoft Cloud Attack and Defense bootcamp hosted by pwned labs. I learned a lot but need to practice more for the exam.So if you interested to become a penetration tester, red team operator or cloud security professional focused on Azure and M365, this learning path is something you could check.The realistic labs simulate actual company environments and active users across Azure and Microsoft 365, that you are likely to come across during engagements or in your own organization.Identify, replicate and detect tradecrafts from recent cloud breachesExplore various methods to complete the same tasks and become tool-agnosticLearn how to evict threats and rotate/reset various forms of credentialsBootcamp showcases trending techniques and tradecraft used by real threat actors, including Storm-0558 and APT-29. Bootcamp's learning possibilities It has four live sessions and learning paths with labs of course:Getting initial access to the Microsoft CloudAttacking M365, abusing tokens and bypassing MFAAttacking and defending Azure resourcesPurple and blue teaming in AzureThe bootcamp starts from basics like AZ-900 but it starts going deep very quickly. And if you know / understand the following topics this should be easy:Understanding key Azure, Entra ID and Microsoft Graph conceptsLeveraging Azure resources to gain initial access and move laterallyUsing modern phishing frameworks to gain initial accessPerforming token abuse for lateral movementHands-on purple teaming in AzureIncreasing resource access through Office/Microsoft 365Exploiting Conditional Access Policy / MFA enablement gapsAttacking and defending Azure App ServicesCreating Azure and Microsoft 365 tenant security reportsDetecting threats with Microsoft SentinelLateral Movement from Azure to on-premises AD, and back!You can learn them during the bootcamp but of course labs and the test can be harder then. After the bootcamp it’s possible to participate Microsoft Cloud Red Team Professional (MCRTP) exam. Sessions in the bootcamp I will shortly present what kind of content are included in different sessions. Getting initial access to the Microsoft Cloud After covering the required theory on Azure and Entra ID, you’ll learn about ARM, Microsoft Graph, and various techniques for user enumeration, including internal authenticated and external unauthenticated methods. You’ll then get hands-on with techniques to gain Azure initial access, from on-premises, password spraying, subdomain and blob container enumeration and phishing.The associated learning path for this session provides a solid introduction to Azure security. Attacking M365, abusing tokens and bypassing MFA In this next part you’ll explore various aspects of tokens, including types, scopes, locations, and formats. You’ll get hands-on with token abuse for lateral movement in Azure and M365 We’ll also identify MFA gaps using various tools, and harvest data from M365 using GraphRunner and direct API calls. The session includes a demonstration of AADInternals and hands-on activities to create and bypass CAP challenges.In the associated learning path for this session you’ll get hands-on with exfiltrating data from M365 using GraphRunner, create phishing lures and infrastructure to exploit active users, and capitalize on MFA enablement gaps. Attacking and defending Azure resources You’ll practice offensive tradecraft against Azure Container Apps, Web Apps, Function Apps, VMs, and databases. After exploiting an Azure Web App, we’ll use this to move laterally, and also explore defensive measures. The session includes demonstrations on attacking Function Apps, remotely executing commands on Azure VMs using Script Extensions, and exfiltrating data from Azure Cosmos DB.The associated learning path for this session provides further hands-on experience in attacking Azure App Services, virtual machines and databases. Purple and blue teaming in Azure You’ll engage in purple teaming exercises using BloodHound and ROADrecon to identify attack paths in Azure environments. You’ll also explore Azure security tools for defenders, including Sentinel, Azure sign-in and activity logs, and ScubaGear. This final session features a fun capstone CTF that simulates a realistic scenario, followed by a Q&A and guidance on preparing for the MCRTP exam.The labs included in the learning path for this session reinforce familiarity with BloodHound, gaining situational awareness in Azure, and exploiting resources for lateral movement. They are also suitable for a CTF approach if you prefer to test your readiness for the exam. The certification - Microsoft Cloud Red Team Professional (MCRTP) Click to enlange In Microsoft Cloud Red Team Professional (MCRTP) exam, you’ll have 24 hours to exploit a realistic scenario. You will be provided with an entry-point, and will need to complete an exploitation chain to get the flag.On completion of the Microsoft Cloud Attack and Defense bootcamp and its accompanying learning path, you’ll be prepared to demonstrate your skills in the realistic exam lab. This fully hands-on, unproctored exam challenges you to apply your newfound expertise in the hunt for flags.The exam environment is dynamic, with flags and scenarios changing periodically to ensure the credibility of the certification when applying for Azure security roles.Environment for the exam is also provided by pwned labs so you don’t need to buy any other environment to try the exam.In addition to your official MCRTP certificate you will also receive a Credly digital certificate.Good luck and may the force be with you. The host and the trainer Ian Austin is a security researcher and educator with a career spanning over 20 years in technical, security and leadership roles for global enterprises.Ian was Head of Content at Hack The Box, an online platform for cybersecurity training and assessment. He also participated in the Green Team of Locked Shields, a NATO cyber defense exercise, contributing to the design and execution of realistic scenarios.He is the founder of Pwned Labs, providing gamified and immersive cloud security labs for red and blue teams.So if you want to participate the real bootcamp for Azure red & blue team activities join here. Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe SECURITY
SECURITY Book Review of Unified XDR and SIEM Solution Handbook April 11, 2024April 12, 2024 Table of Contents Introduction Microsoft’s unified XDR and SIEM solution was designed to consolidate various Microsoft… Read More
AI AI LLM attacks & how Microsoft Security products will help to reduce the Attack Surface November 24, 2024November 24, 2024 This post is the first part of my presentation which I held at Microsoft AI Summit Finland last October. In that presentation I handled topics like LLM attacks, risks, their prevention and mitigations. Also Azure related AI security topics. Read More
SECURITY Azure Confidential Computing August 27, 2023February 22, 2025 Table of Contents What is Azure Confidential Computing (ACC)? In short Azure Confidential computing protects… Read More