This immersive five-day training delivers a complete, hands-on journey through Azure security, identity abuse, threat detection, and cloud incident response. Students begin by establishing core foundations – Azure architecture, governance, logging, and the security stack, before progressing into the full Azure Cyber Kill Chain. Participants will perform real-world attacks across identity, compute, storage, and control-plane layers, including token theft, AiTM phishing, privilege escalation, service principal compromise, misconfigurations, and persistence techniques unique to Azure.
Course syllabus
This Live Virtual Class consists of 15 Modules in terms of Incident Response in the Cloud. They include essential theory combined with individual practice during the exercises as well as loads of hands-on tools and real-case scenarios.
Module 1: Azure Security & IR Fundamentals
Introduction to Entra ID
- Shared responsibility model & Azure security layers
- Azure Terminology & Hierarchy (Tenants, Subs, MGMT Groups)
- Azure Resource Manager (ARM) & control-plane concepts
- Azure Compute, Network, and Storage components
- Azure Security components (Defender for Cloud, Sentinel)
- Threat modeling for Azure services
Module 2: Deep Dive into ID & Governance
- Entra ID Overview: Users, Groups, Service Principals, Managed Identities
- Entra ID Roles (Azure AD vs. Azure RBAC)
- Entra ID – Tokens (Access, Refresh, PRT, SSO) & Auth Flows
- Privileged Identity Management (PIM) basics
- Entra ID – Hybrid Setup (Connect, Sync, ADFS)
Module 3: Core Controls, Benchmarks & Logging
- Azure Security Benchmark (ASB) & Secure Score
- Network Security Groups, Firewall, basic segmentation
- Azure Audit & Logging: Activity Logs, Resource Logs, Entra ID Logs
- Defender for Cloud & Sentinel logging architecture
Modul 4: Reconnaissance & Intial Access
- Azure Attack Overview
- Reconnaissance: Internal and External
- Initial Access: Valid accounts, Password Attacks (Spray, Stuffing)
- Initial Access: Malicious apps & illicit consent grants
- Initial Access: Phishing (Traditional, AiTM) & MiTM attacks
- Demo: AiTM in action
Modul 5: Infrastructure & Netword Attacks
- Attacking Azure VMs, extensions, managed identities
- Exploiting VM agent weaknesses
- Attacking storage accounts & SAS tokens
- Attack flow with public endpoints & Bypassing NSGs
- Demo: enumerating cloud resources through token leakage
Modul 6: Executions & Privilage Escalation
- Execution: Azure RunCommand, Serial Console, Automation accounts
- Execution: Function app, Intune & Cloud Shell
- Privilege Escalation: PIM & Elevated Access Toggle
- Privilege Escalation: Abusing ARM APIs
- Privilege Escalation: Misconfigured Azure AD applications
- Demo: privilege escalation via misconfigured app registrations
Module 7: Advanced Identity Attacks & Credential Access
- Conditional Access design and common failures
- Token replay & token theft
- Pass-the-PRT, stealing session artifacts
- Attacking service principals & managed identities
- Credential Access: Application secrets & KeyVault dumping
Module 8: Persistence Technique
- Account Creation (Guest, Shadow Admin)
- Network Security Group Modification
- Azure Lighthouse & Delegated Administrators
- Cross-Tenant Synchronization & Subscription Transfers
- Federated options (Golden SAML)
- Persistence in Azure (Apps, Functions, SPNs, connectors)
- Demo: persistent backdoor through Azure App Registration
Module 9: Exfiltration & Impact
- Exfiltration: Storage accounts, SAS tokens, data services
- Impact: Resource Deletion & Cryptomining
- Cross-tenant attacks & multi-cloud attack paths
Module 10: KQL for Incident Response
- KQL Introduction & Syntax
- Need-to-know KQL commands (let, join, parse, extend)
- KQL for Incident Response & Resources
- Sentinel log ingestion best practices
- Demo: Building a KQL hunting query from scratch
Module 11: KQL (UDFs, functions, make-series)
- Advanced KQL (UDFs, functions, make-series)
- Using KQL to hunt for identity attacks (token theft, persistence)
- Hunting for resource manipulation via ARM
- Hunting for compromised service principals
- Demo: building a custom analytic rule in Sentinel
Module 12: Graph API for Incident Response
- Introduction & Graph Explorer
- Graph Application setup with a certificate
- Graph API calls for IR (enumerating users, apps, logs)
- Investigating Microsoft Graph Activity Logs
- Azure Attack tools overview
Module 13: Responding to Azure Attacks (NIST)
- Introduction & NIST model
- Cloud-first vs hybrid IR scenarios
- Cloud Incident Response: Preparation
- Cloud Incident Response: Investigate & Contain
- Evidence acquisition in Azure & live response
- Azure Incident Response tools
- Demo: investigating an Azure compromise end-to-end
Module 14: Remediation & Strategic Hardening
- Cloud Incident Response: Remediate & Recover
- Token & Session Revocation (Entra ID, Azure)
- Responding to identity compromise vs. resource compromise
- Zero Trust in Azure & Secure Landing Zones
- Advanced key management (Key Vault, HSM)
Module 15: Advanced & Strategic Best Practices
- Supply chain attacks via Azure DevOps
- Designing a secure cloud operating model
- Continuous compliance, automation, & IaC security
- DevSecOps in Azure
- Governance & policy enforcement at scale
Who is it for?
Enterprise administrators, infrastructure architects, security professionals, systems engineers, network administrators, IT professionals, security consultants and other people responsible for implementing network and perimeter security.
To attend this training, you should have a good hands-on experience in administering Windows infrastructure. At least 5 years in the field is recommended. All attendees should have experience with Active Directory Domain Services (AD DS) administration.
Incident Response in the Cloud
