Attacking and Defending Azure & M365
Buy now
Learn more
1. Introduction
Introduction *NEW*
2. Overview of Azure/M365
Module 2 Links and Resources
Updates to Entra ID *NEW*
Overview of Azure/M365 Lecture
3. Setting Up Your Environment
Module 3 Links and Resources
Setting up your own environment *NEW*
4. Log Analysis Using SOF-ELK
Module 4 Links and Resources
SOF-ELK Overview and Setup
5. Reconnaissance & Enumeration
Module 5 Links and Resources
ATTACK - Enumerate users and domains
DETECT - Enumerate users and domains
ATTACK - Post exploitation reconnaissance
DETECT - Post exploitation reconnaissance
ATTACK - Access Packages (Insider) *NEW*
DETECT - Access Packages (Insider) *NEW*
MITIGATE - Access Packages (Insider) *NEW*
6. Initial Access Techniques
Module 6 Links and Resources
Initial_Access_Technique_Files.zip
ATTACK - Password Spraying M365
DETECT - Password Spraying M365
MITIGATE - Password Spraying M365
ATTACK - OWA Password Spraying
DETECT - OWA Password Spraying
MITIGATE - OWA Password Spraying
ATTACK - OAuth Abuse
DETECT - OAuth Abuse
MITIGATE - OAuth Abuse
ATTACK - Device code authentication abuse
DETECT - Device code authentication abuse
MITIGATE - Device code authentication abuse
ATTACK - M365 Business email compromise
DETECT - M365 Business email compromise
MITIGATE - M365 Business email compromise
ATTACK - Bypassing MFA and CA *NEW*
DETECT - Bypassing MFA and CA *NEW*
MITIGATE - Bypassing MFA and CA *NEW*
7. Credential Theft
Module 7 Links and Resources
ATTACK - Golden SAML attack
DETECT - Golden SAML attack
MITIGATE - Golden SAML attack
ATTACK - Attacking key vaults
DETECT - Attacking key vaults
MITIGATE - Attacking key vaults
ATTACK - Skeleton Keys (PTA Abuse)
DETECT - Skeleton Keys (PTA Abuse)
MITIGATE - Skeleton Keys (PTA Abuse)
ATTACK - Stealing access tokens from Office Apps
DETECT - Stealing access tokens from Office Apps
MITIGATE - Stealing access tokens from Office Apps
ATTACK - Extract passwords from automation accounts
DETECT - Extract passwords from automation accounts
MITIGATE - Extract passwords from automation accounts
ATTACK - Hunting credentials in previous deployment
DETECT - Hunting credentials in previous deployment
8. Lateral Movement Techniques
Module 8 Links and Resources
ATTACK - Pass the PRT
DETECT - Pass the PRT
MITIGATE - Pass the PRT *NEW*
ATTACK - Pass the cookie
DETECT - Pass the cookie
MITIGATE - Pass the cookie
ATTACK - Abusing managed identities
DETECT - Abusing managed identities
MITIGATE - Abusing managed identities
ATTACK - Virtual Machine Abuse
DETECT - Virtual Machine Abuse
MITIGATE - Virtual Machine Abuse
ATTACK - Azure Lighthouse *NEW*
DETECT - Azure Lighthouse *NEW*
MITIGATE - Azure Lighthouse *NEW*
ATTACK - Microsoft Intune *NEW*
DETECT - Microsoft Intune *NEW*
MITIGATE - Microsoft Intune *NEW*
ATTACK - Azure Arc Custom Script Extension *NEW*
DETECT - Azure Arc Custom Script Extension *NEW*
MITIGATE - Azure Arc Custom Script Extension *NEW*
9. Privilege Escalation
Module 9 Links and Resources
Abusing Azure AD / RBAC roles
ATTACK - Abusing Cloud Administrator
DETECT - Abusing Cloud Administrator
MITIGATE - Abusing Cloud Administrator
ATTACK - Abusing User Administrator
DETECT - Abusing User Administrator
MITIGATE - Abusing User Administrator
ATTACK - Abusing Family of Client IDs *NEW*
DETECT - Abusing Family of Client IDs *NEW*
MITIGATE - Abusing Family of Client IDs *NEW*
10. Persistence Techniques
Module 10 Links and Resources
ATTACK - AAD federated Backdoor
DETECT - AAD federated Backdoor
MITIGATE - AAD federated Backdoor
ATTACK - Malicious MFA Takeover
DETECT - Malicious MFA Takeover
MITIGATE - Malicious MFA Takeover
ATTACK - Service Principal Abuse
DETECT - Service Principal Abuse
MITIGATE - Service Principal Abuse
ATTACK - Automation Account Abuse
DETECT - Automation Account Abuse
MITIGATE - Automation Account Abuse
ATTACK - Compromising Azure Blobs & Storage Accounts
DETECT - Compromising Azure Blobs & Storage Accounts
MITIGATE - Compromising Azure Blobs & Storage Accounts
ATTACK - Malicious Device Join
DETECT - Malicious Device Join
MITIGATE - Malicious Device Join
ATTACK - Directory Synchronization Accounts *NEW*
DETECT - Directory Synchronization Accounts *NEW*
MITIGATE - Directory Synchronization Accounts *NEW*
ATTACK - Cross Tenant Synchronisation *NEW*
DETECT - Cross Tenant Synchronisation *NEW*
MITIGATE - Cross Tenant Synchronisation *NEW*
11. Defense Evasion
Module 11 Links and Resources
ATTACK - Disabling Auditing
DETECT - Disabling Auditing
MITIGATE - Disabling Auditing
ATTACK - Spoofing Azure Sign-in Logs
DETECT - Spoofing Azure Sign-in Logs
MITIGATE - Spoofing Azure Sign-in Logs
ATTACK - Registering Fake Agents for Log Spoofing
DETECT - Registering Fake Agents for Log Spoofing
MITIGATE - Registering Fake Agents for Log Spoofing
Products
Course
Attacking and Defending Azure & M365
Attacking and Defending Azure & M365
Attacking and Defending Azure & M365
Buy now
Learn more
1. Introduction
Introduction *NEW*
2. Overview of Azure/M365
Module 2 Links and Resources
Updates to Entra ID *NEW*
Overview of Azure/M365 Lecture
3. Setting Up Your Environment
Module 3 Links and Resources
Setting up your own environment *NEW*
4. Log Analysis Using SOF-ELK
Module 4 Links and Resources
SOF-ELK Overview and Setup
5. Reconnaissance & Enumeration
Module 5 Links and Resources
ATTACK - Enumerate users and domains
DETECT - Enumerate users and domains
ATTACK - Post exploitation reconnaissance
DETECT - Post exploitation reconnaissance
ATTACK - Access Packages (Insider) *NEW*
DETECT - Access Packages (Insider) *NEW*
MITIGATE - Access Packages (Insider) *NEW*
6. Initial Access Techniques
Module 6 Links and Resources
Initial_Access_Technique_Files.zip
ATTACK - Password Spraying M365
DETECT - Password Spraying M365
MITIGATE - Password Spraying M365
ATTACK - OWA Password Spraying
DETECT - OWA Password Spraying
MITIGATE - OWA Password Spraying
ATTACK - OAuth Abuse
DETECT - OAuth Abuse
MITIGATE - OAuth Abuse
ATTACK - Device code authentication abuse
DETECT - Device code authentication abuse
MITIGATE - Device code authentication abuse
ATTACK - M365 Business email compromise
DETECT - M365 Business email compromise
MITIGATE - M365 Business email compromise
ATTACK - Bypassing MFA and CA *NEW*
DETECT - Bypassing MFA and CA *NEW*
MITIGATE - Bypassing MFA and CA *NEW*
7. Credential Theft
Module 7 Links and Resources
ATTACK - Golden SAML attack
DETECT - Golden SAML attack
MITIGATE - Golden SAML attack
ATTACK - Attacking key vaults
DETECT - Attacking key vaults
MITIGATE - Attacking key vaults
ATTACK - Skeleton Keys (PTA Abuse)
DETECT - Skeleton Keys (PTA Abuse)
MITIGATE - Skeleton Keys (PTA Abuse)
ATTACK - Stealing access tokens from Office Apps
DETECT - Stealing access tokens from Office Apps
MITIGATE - Stealing access tokens from Office Apps
ATTACK - Extract passwords from automation accounts
DETECT - Extract passwords from automation accounts
MITIGATE - Extract passwords from automation accounts
ATTACK - Hunting credentials in previous deployment
DETECT - Hunting credentials in previous deployment
8. Lateral Movement Techniques
Module 8 Links and Resources
ATTACK - Pass the PRT
DETECT - Pass the PRT
MITIGATE - Pass the PRT *NEW*
ATTACK - Pass the cookie
DETECT - Pass the cookie
MITIGATE - Pass the cookie
ATTACK - Abusing managed identities
DETECT - Abusing managed identities
MITIGATE - Abusing managed identities
ATTACK - Virtual Machine Abuse
DETECT - Virtual Machine Abuse
MITIGATE - Virtual Machine Abuse
ATTACK - Azure Lighthouse *NEW*
DETECT - Azure Lighthouse *NEW*
MITIGATE - Azure Lighthouse *NEW*
ATTACK - Microsoft Intune *NEW*
DETECT - Microsoft Intune *NEW*
MITIGATE - Microsoft Intune *NEW*
ATTACK - Azure Arc Custom Script Extension *NEW*
DETECT - Azure Arc Custom Script Extension *NEW*
MITIGATE - Azure Arc Custom Script Extension *NEW*
9. Privilege Escalation
Module 9 Links and Resources
Abusing Azure AD / RBAC roles
ATTACK - Abusing Cloud Administrator
DETECT - Abusing Cloud Administrator
MITIGATE - Abusing Cloud Administrator
ATTACK - Abusing User Administrator
DETECT - Abusing User Administrator
MITIGATE - Abusing User Administrator
ATTACK - Abusing Family of Client IDs *NEW*
DETECT - Abusing Family of Client IDs *NEW*
MITIGATE - Abusing Family of Client IDs *NEW*
10. Persistence Techniques
Module 10 Links and Resources
ATTACK - AAD federated Backdoor
DETECT - AAD federated Backdoor
MITIGATE - AAD federated Backdoor
ATTACK - Malicious MFA Takeover
DETECT - Malicious MFA Takeover
MITIGATE - Malicious MFA Takeover
ATTACK - Service Principal Abuse
DETECT - Service Principal Abuse
MITIGATE - Service Principal Abuse
ATTACK - Automation Account Abuse
DETECT - Automation Account Abuse
MITIGATE - Automation Account Abuse
ATTACK - Compromising Azure Blobs & Storage Accounts
DETECT - Compromising Azure Blobs & Storage Accounts
MITIGATE - Compromising Azure Blobs & Storage Accounts
ATTACK - Malicious Device Join
DETECT - Malicious Device Join
MITIGATE - Malicious Device Join
ATTACK - Directory Synchronization Accounts *NEW*
DETECT - Directory Synchronization Accounts *NEW*
MITIGATE - Directory Synchronization Accounts *NEW*
ATTACK - Cross Tenant Synchronisation *NEW*
DETECT - Cross Tenant Synchronisation *NEW*
MITIGATE - Cross Tenant Synchronisation *NEW*
11. Defense Evasion
Module 11 Links and Resources
ATTACK - Disabling Auditing
DETECT - Disabling Auditing
MITIGATE - Disabling Auditing
ATTACK - Spoofing Azure Sign-in Logs
DETECT - Spoofing Azure Sign-in Logs
MITIGATE - Spoofing Azure Sign-in Logs
ATTACK - Registering Fake Agents for Log Spoofing
DETECT - Registering Fake Agents for Log Spoofing
MITIGATE - Registering Fake Agents for Log Spoofing
Learn more
Buy now
Learn how to attack, perform forensics / detection and mitigate threats in Azure and M365
1. Introduction
1 Lesson
Introduction *NEW*
2. Overview of Azure/M365
3 Lessons
Module 2 Links and Resources
Updates to Entra ID *NEW*
Overview of Azure/M365 Lecture
3. Setting Up Your Environment
2 Lessons
Module 3 Links and Resources
Setting up your own environment *NEW*
4. Log Analysis Using SOF-ELK
2 Lessons
Module 4 Links and Resources
SOF-ELK Overview and Setup
5. Reconnaissance & Enumeration
8 Lessons
Module 5 Links and Resources
ATTACK - Enumerate users and domains
DETECT - Enumerate users and domains
ATTACK - Post exploitation reconnaissance
DETECT - Post exploitation reconnaissance
ATTACK - Access Packages (Insider) *NEW*
DETECT - Access Packages (Insider) *NEW*
MITIGATE - Access Packages (Insider) *NEW*
6. Initial Access Techniques
20 Lessons
Module 6 Links and Resources
Initial_Access_Technique_Files.zip
ATTACK - Password Spraying M365
DETECT - Password Spraying M365
MITIGATE - Password Spraying M365
ATTACK - OWA Password Spraying
DETECT - OWA Password Spraying
MITIGATE - OWA Password Spraying
ATTACK - OAuth Abuse
DETECT - OAuth Abuse
MITIGATE - OAuth Abuse
ATTACK - Device code authentication abuse
DETECT - Device code authentication abuse
MITIGATE - Device code authentication abuse
ATTACK - M365 Business email compromise
DETECT - M365 Business email compromise
MITIGATE - M365 Business email compromise
ATTACK - Bypassing MFA and CA *NEW*
DETECT - Bypassing MFA and CA *NEW*
MITIGATE - Bypassing MFA and CA *NEW*
7. Credential Theft
18 Lessons
Module 7 Links and Resources
ATTACK - Golden SAML attack
DETECT - Golden SAML attack
MITIGATE - Golden SAML attack
ATTACK - Attacking key vaults
DETECT - Attacking key vaults
MITIGATE - Attacking key vaults
ATTACK - Skeleton Keys (PTA Abuse)
DETECT - Skeleton Keys (PTA Abuse)
MITIGATE - Skeleton Keys (PTA Abuse)
ATTACK - Stealing access tokens from Office Apps
DETECT - Stealing access tokens from Office Apps
MITIGATE - Stealing access tokens from Office Apps
ATTACK - Extract passwords from automation accounts
DETECT - Extract passwords from automation accounts
MITIGATE - Extract passwords from automation accounts
ATTACK - Hunting credentials in previous deployment
DETECT - Hunting credentials in previous deployment
8. Lateral Movement Techniques
22 Lessons
Module 8 Links and Resources
ATTACK - Pass the PRT
DETECT - Pass the PRT
MITIGATE - Pass the PRT *NEW*
ATTACK - Pass the cookie
DETECT - Pass the cookie
MITIGATE - Pass the cookie
ATTACK - Abusing managed identities
DETECT - Abusing managed identities
MITIGATE - Abusing managed identities
ATTACK - Virtual Machine Abuse
DETECT - Virtual Machine Abuse
MITIGATE - Virtual Machine Abuse
ATTACK - Azure Lighthouse *NEW*
DETECT - Azure Lighthouse *NEW*
MITIGATE - Azure Lighthouse *NEW*
ATTACK - Microsoft Intune *NEW*
DETECT - Microsoft Intune *NEW*
MITIGATE - Microsoft Intune *NEW*
ATTACK - Azure Arc Custom Script Extension *NEW*
DETECT - Azure Arc Custom Script Extension *NEW*
MITIGATE - Azure Arc Custom Script Extension *NEW*
9. Privilege Escalation
11 Lessons
Module 9 Links and Resources
Abusing Azure AD / RBAC roles
ATTACK - Abusing Cloud Administrator
DETECT - Abusing Cloud Administrator
MITIGATE - Abusing Cloud Administrator
ATTACK - Abusing User Administrator
DETECT - Abusing User Administrator
MITIGATE - Abusing User Administrator
ATTACK - Abusing Family of Client IDs *NEW*
DETECT - Abusing Family of Client IDs *NEW*
MITIGATE - Abusing Family of Client IDs *NEW*
10. Persistence Techniques
25 Lessons
Module 10 Links and Resources
ATTACK - AAD federated Backdoor
DETECT - AAD federated Backdoor
MITIGATE - AAD federated Backdoor
ATTACK - Malicious MFA Takeover
DETECT - Malicious MFA Takeover
MITIGATE - Malicious MFA Takeover
ATTACK - Service Principal Abuse
DETECT - Service Principal Abuse
MITIGATE - Service Principal Abuse
ATTACK - Automation Account Abuse
DETECT - Automation Account Abuse
MITIGATE - Automation Account Abuse
ATTACK - Compromising Azure Blobs & Storage Accounts
DETECT - Compromising Azure Blobs & Storage Accounts
MITIGATE - Compromising Azure Blobs & Storage Accounts
ATTACK - Malicious Device Join
DETECT - Malicious Device Join
MITIGATE - Malicious Device Join
ATTACK - Directory Synchronization Accounts *NEW*
DETECT - Directory Synchronization Accounts *NEW*
MITIGATE - Directory Synchronization Accounts *NEW*
ATTACK - Cross Tenant Synchronisation *NEW*
DETECT - Cross Tenant Synchronisation *NEW*
MITIGATE - Cross Tenant Synchronisation *NEW*
11. Defense Evasion
10 Lessons
Module 11 Links and Resources
ATTACK - Disabling Auditing
DETECT - Disabling Auditing
MITIGATE - Disabling Auditing
ATTACK - Spoofing Azure Sign-in Logs
DETECT - Spoofing Azure Sign-in Logs
MITIGATE - Spoofing Azure Sign-in Logs
ATTACK - Registering Fake Agents for Log Spoofing
DETECT - Registering Fake Agents for Log Spoofing
MITIGATE - Registering Fake Agents for Log Spoofing