Course Overview

Day 1 - Microsoft Azure

On day 1 an overview of services in the Azure cloud relevant to IR is provided. Followed by a deep dive into how Azure clouds are often configured in client environments. We will then look at all the different log sources available in Azure that can be used for IR and how we can export out these logs. You will learn how to find real life attacks in the various Microsoft Azure log sources.

Sections & Exercises - Day 1 Microsoft Azure

Exercises – Day 1

• Lab 0: Setup

• Lab 1.1: Explore Azure & Azure AD Logging

• Lab 1.2: KQL Querying

• Lab 1.3: Investigating, Recon & Initial access attacks

• Lab 1.4: Investigating, Execution, Persistence & Privilege Escalation attacks

• Lab 1.5: Investigating, Credential Access & Exfiltration attacks

Sections – Day 1

• Azure IR introduction

• Azure Active Directory

• Azure Audit & Logging

• KQL for Incident Response

• Azure Attacks (Recon & Initial Access)

• Azure Attacks (Execution, Persistence & Privilege Escalation)

• Azure Attacks (Credential Access, Exfiltration)

• Responding to Azure Attacks

Day 2 - Microsoft Azure & Microsoft 365

On day 2 we will finish the Azure section of the training and learn you how to respond to the different attacks you've seen and learned about. Additionally, you'll perform data acquisition of a live environment for IR purposes. After that we will switch gears and continue our exploration of incident response in Microsoft with the popular M365 service. As a start we will look at the various services and logs available for analysis. Followed by a deep dive into the most important piece of evidence the Unified Audit Log (UAL). We will discuss several common attacks and how you can investigate them yourself. During the day you'll get hands-on experience with acquisition, processing, and analysis of the Unified Audit Log (UAL) with a variety of tools. Finally we will spend some time on recommendations for your client or your organization to prevent incidents in an M365 environment.

Exercises – Day 2

• Lab 2.1: Exploration of the UAL

• Lab 2.2: Compromise of an email account

• Lab 2.3: The Extractor Suite

Sections - Day 2

• Microsoft 365 IR introduction

• Unified Audit Log (UAL)

• Other Microsoft 365 forensic artefacts

• Microsoft 365 Attack techniques

• Microsoft 365 IR Tools and Techniques

Day 3 - Microsoft 365 & CTF challenge

On day 3 we will cover the latest editions to the Microsoft 365 course as Anti-Forensics in M365 and the brand new Microsoft Graph Activity Logs. You'll also investigate Entra ID application abuse in a live lab environment. The afternoon part of the day will be reserved for the CTF challenge. The CTF challenge will give you access to live environments and data from Azure and M365 environments and you'll have the chance to investigate two distinct cloud compromises.

Exercises - Day 3

• Lab 2.4: Investigating OAuth applications

• Lab 2.5 Access/Session Token extraction

• Azure CTF

• Microsoft CTF

Sections - Day 3

• Microsoft 365 Anti-Forensics

• Microsoft Graph Activity Log forensics

• Best practices for remediation and recovery in Microsoft 365

• Wrap-up & Evaluation