T2: advanced incident response in the microsoft cloud

Training Details

3-DAY TRAINING, 1-3 JUNE @ MEERVAART AMSTERDAM
TICKET PRICE: €1900 EX BTW


In this three-days hands-on training, you’ll learn everything you need to know about forensics and incident response in the Microsoft cloud. This training covers both Microsoft 365 and Microsoft Azure. You will get hands-on experience with investigating attacks, acquisition of forensic artefacts from the cloud and digging through the relevant artefacts. Everything you learn is related to real life threats observed against the Microsoft cloud. The trainer has real life experience with incident response and forensic investigations in the cloud; knowledge will be shared that's not available on any public resource. Once you’ve completed this training you will feel comfortable investigating any threat in the Microsoft cloud. The training is very hands-on and concluded with two full attack scenarios in both Azure & M365 and you're tasked in the CTF to solve as many pieces of the puzzle as you can.

Training Outline

Overview - Day 1 Microsoft Azure

On day 1, an overview of services in the Azure cloud relevant to IR is provided, followed by a deep dive into how Azure clouds are often configured in client environments. We will then look at all the different log sources available in Azure that can be used for IR and how we can export these logs. You will learn how to find real life attacks in the various Microsoft Azure log sources.

Sections & Exercises - Day 1 Microsoft Azure

Exercises – Day 1

  • Lab 0: Setup
  • Lab 1.1: Explore Azure & Azure AD Logging
  • Lab 1.2: KQL Querying
  • Lab 1.3: Investigating, Recon & Initial access attacks
  • Lab 1.4: Investigating, Execution, Persistence & Privilege Escalation attacks
  • Lab 1.5: Investigating, Credential Access & Exfiltration attacks

Sections – Day 1

  • Azure IR introduction
  • Azure Active Directory
  • Azure Audit & Logging
  • KQL for Incident Response
  • Azure Attacks (Recon & Initial Access)
  • Azure Attacks (Execution, Persistence & Privilege Escalation)
  • Azure Attacks (Credential Access, Exfiltration)
  • Responding to Azure Attacks

Overview - Day 2 Microsoft Azure & Microsoft 365

On day 2 we will finish the Azure section of the training and teach you how to respond to the different attacks you've seen and learned about. Additionally, you will perform data acquisition of a live environment for IR purposes. After that we will switch gears and continue our exploration of incident response in Microsoft with the popular M365 service. As a start we will look at the various services and logs available for analysis, followed by a deep dive into the most important piece of evidence the Unified Audit Log (UAL). We will discuss several common attacks and how you can investigate them yourself. During the day you'll get hands-on experience with acquisition, processing, and analysis of the Unified Audit Log (UAL) with a variety of tools. Finally we will spend some time on recommendations for your client or your organization to prevent incidents in an M365 environment.

Sections & Exercises - Day 2 Microsoft Azure & Microsoft 365

Exercises – Day 2

  • Lab 2.1: Exploration of the UAL
  • Lab 2.2: Compromise of an email account
  • Lab 2.3: Extracting Tokens

Sections - Day 2

  • Microsoft 365 IR introduction
  • Unified Audit Log (UAL)
  • Other Microsoft 365 forensic artefacts
  • Microsoft 365 Attack techniques
  • Microsoft 365 IR Tools and Techniques

Overview - Day 3 Microsoft 365 & CTF challenge

On day 3 we will cover the latest additions to the Microsoft 365 course as Anti-Forensics in M365 and the brand-new Microsoft Graph Activity Logs. You will also investigate Entra ID application abuse in a live lab environment. The afternoon part of the day will be reserved for the CTF challenge, which will give you access to live environments and data from Azure and M365 environments. You will have the chance to investigate two distinct cloud compromises.

Sections & Exercises - Day 3 Microsoft 365 & CTF challenge

Exercises - Day 3

  • Lab 2.4 The Microsoft Extractor Suite
  • Azure CTF
  • Microsoft CTF

Sections - Day 3

  • Microsoft 365 Anti-Forensics
  • Microsoft Graph Activity Log forensics
  • Best practices for remediation and recovery in Microsoft 365
  • Wrap-up & Evaluation

Prerequisites

Students should be familiar with the Microsoft cloud (Azure, Entra ID & M365).

Hardware & Software requirements

  • Laptop with modern OS (Windows/MacOS/Linux)
  • PowerShell
  • (Recommended) Excel can be useful for certain analysis tasks
GET YOUR TICKET NOW
GET YOUR TICKET NOW

KORSTIAAN STAM


Korstiaan is an Incident Response specialist with approximately ten years working experience in digital forensics and incident response. Way before the cloud was cool, he was already researching it from a forensics perspective, which led him to become a SANS Instructor for FOR509: Enterprise Cloud Forensics and Incident Response. Korstiaan is also the founder and owner of Invictus Incident Response specializing in cloud incident response and offering cloud incident response trainings.