Course Syllabus
111Videos
26Labs
16+Hours of Content
Introduction
Introduction
NEW
Overview of Azure/M365
Module 2 Links and Resources
Updates to ENTRA ID
NEW
Overview of Azure/M365 Lecture
Setting Up Your Environment
Module 3 Links and Resources
Setting up your own environment
NEW
Log Analysis Using SOF-ELK
Module 4 Links and Resources
SOF-ELK Overview and Setup
Reconnaissance & Enumeration
Module 5 Links and Resources
ATTACK - Enumerate Users and Domains
DETECT - Enumerate Users and Domains
ATTACK - Post Exploitation Reconnaissance
DETECT - Post Exploitation Reconnaissance
ATTACK - Access Packages (Insider)
NEW
DETECT - Access Packages (Insider)
NEW
MITIGATE - Access Packages (Insider)
NEW
Initial Access Techniques
Module 6 Links and Resources
ATTACK - Password Spraying M365
DETECT - Password Spraying M365
MITIGATE - Password Spraying M365
ATTACK - OWA Password Spraying
DETECT - OWA Password Spraying
MITIGATE - OWA Password Spraying
ATTACK - OAuth Abuse
DETECT - OAuth Abuse
MITIGATE - OAuth Abuse
ATTACK - Device Code Authentication Abuse
DETECT - Device Code Authentication Abuse
MITIGATE - Device Code Authentication Abuse
ATTACK - M365 Business Email Compromise
DETECT - M365 Business Email Compromise
MITIGATE - M365 Business Email Compromise
ATTACK - Bypassing MFA and CA
NEW
DETECT - Bypassing MFA and CA
NEW
MITIGATE - Bypassing MFA and CA
NEW
Credential Theft
Module 7 Links and Resources
ATTACK - Golden SAML Attack
DETECT - Golden SAML Attack
MITIGATE - Golden SAML Attack
ATTACK - Attacking Key Vaults
DETECT - Attacking Key Vaults
MITIGATE - Attacking Key Vaults
ATTACK - Skeleton Keys (PTA Abuse)
DETECT - Skeleton Keys (PTA Abuse)
MITIGATE - Skeleton Keys (PTA Abuse)
ATTACK - Stealing Access Tokens from Office Apps
DETECT - Stealing Access Tokens from Office Apps
MITIGATE - Stealing Access Tokens from Office Apps
ATTACK - Extract Passwords from Automation Accounts
DETECT - Extract Passwords from Automation Accounts
MITIGATE - Extract Passwords from Automation Accounts
ATTACK - Hunting Credentials in Previous Deployment
DETECT - Hunting Credentials in Previous Deployment
Lateral Movement Techniques
Module 8 Links and Resources
ATTACK - Pass the PRT
DETECT - Pass the PRT
MITIGATE - Pass the PRT
NEW
ATTACK - Pass the Cookie
DETECT - Pass the Cookie
MITIGATE - Pass the Cookie
ATTACK - Abusing Managed Identities
DETECT - Abusing Managed Identities
MITIGATE - Abusing Managed Identities
ATTACK - Virtual Machine Abuse
DETECT - Virtual Machine Abuse
MITIGATE - Virtual Machine Abuse
ATTACK - Azure Lighthouse
NEW
DETECT - Azure Lighthouse
NEW
MITIGATE - Azure Lighthouse
NEW
ATTACK - Microsoft Intune
NEW
DETECT - Microsoft Intune
NEW
MITIGATE - Microsoft Intune
NEW
ATTACK - Azure Arc Custom Script Extension
NEW
DETECT - Azure Arc Custom Script Extension
NEW
MITIGATE - Azure Arc Custom Script Extension
NEW
Privilege Escalation
Module 9 Links and Resources
Abusing Azure AD / RBAC Roles
ATTACK - Cloud Administrator Abuse
DETECT - Cloud Administrator Abuse
MITIGATE - Cloud Administrator Abuse
ATTACK - User Administrator Abuse
DETECT - User Administrator Abuse
MITIGATE - User Administrator Abuse
ATTACK - Abusing Family of Client IDs
NEW
DETECT - Abusing Family of Client IDs
NEW
MITIGATE - Abusing Family of Client IDs
NEW
Persistence Techniques
Module 10 Links and Resources
ATTACK - AAD Federated Backdoor
DETECT - AAD Federated Backdoor
MITIGATE - AAD Federated Backdoor
ATTACK - Malicious MFA Takeover
DETECT - Malicious MFA Takeover
MITIGATE - Malicious MFA Takeover
ATTACK - Service Principal Abuse
DETECT - Service Principal Abuse
MITIGATE - Service Principal Abuse
ATTACK - Automation Account Abuse
DETECT - Automation Account Abuse
MITIGATE - Automation Account Abuse
ATTACK - Compromising Azure Blobs & Storage Accounts
DETECT - Compromising Azure Blobs & Storage Accounts
MITIGATE - Compromising Azure Blobs & Storage Accounts
ATTACK - Malicious Device Join
DETECT - Malicious Device Join
MITIGATE - Malicious Device Join
ATTACK - Directory Synchronization Accounts
NEW
DETECT - Directory Synchronization Accounts
NEW
MITIGATE - Directory Synchronization Accounts
NEW
ATTACK - Cross Tenant Synchronization
NEW
DETECT - Cross Tenant Synchronization
NEW
MITIGATE - Cross Tenant Synchronization
NEW
Defense Evasion
Module 11 Links and Resources
ATTACK - Disabling Auditing
DETECT - Disabling Auditing
MITIGATE - Disabling Auditing
ATTACK - Spoofing Azure Sign-in Logs
DETECT - Spoofing Azure Sign-in Logs
MITIGATE - Spoofing Azure Sign-in Logs
ATTACK - Registering Fake Agents for Log Spoofing
DETECT - Registering Fake Agents for Log Spoofing
MITIGATE - Registering Fake Agents for Log Spoofing
Course Trainers
Trainer
InverseCos (Lina)
Founder of XINTRA, Lina has worked in Incident Response for multiple years leading complex international cases covering sectors such as national defence, banking, energy, and manufacturing.
Lina is a Black Hat trainer, SANS advisory board member and has presented at several international conferences and authored a book on cybersecurity. She currently holds the following certifications: GXPN, GASF, GREM, GCFA and OSCP.
We’ve got you covered
Frequently Asked Questions
Online course versus live course?
The live course contains an attack and defend lab environment with lab questions. You are taught by TWO instructors over two days.
The online course does not contain labs, you are expected to have your own tenant to practice in. You will also not have access to a live instructor "answering questions".
Are there labs in the online course?
You are expected to come with a tenant and follow along the exercises.
Labs are provided in the LIVE version of the course (an attack and defend lab) along with two instructors.
How long is this course?
There are 114 videos in total spanning over 16 hours of content. In live training, this course is taught over a 4-day period (or, 2-days for a shorter version).
What does this course cover?
For each of the techniques in the matrix above, the course breaks down:
Forensics and Detection
Attack Methodology
Mitigation Steps
Demos for Attack & Defend
Aside from covering each technique in detail, the course also covers:
Background on Azure/M365
Attacking and defending hybrid environments
Setting up your own environment (FREE developer E5)
Log analysis and ingestion using SOF-ELK
Can I get a tax invoice?
Yes, you can view invoices in the "Manage Account" page.
Who should take this course?
This course is aimed at
Blue teamers
Red teamers / Penetration Testers
Incident Responders
Cloud Engineers / Security Teams
Detection Engineers
Any security professional aiming to learn more about attacking and defending the cloud
In terms of pre-requisites for this course, students are expected to have:
Windows 10/11 Virtual Machine
SOF-ELK virtual machine (steps on how to set this up is included in the course)
Willingness to apply yourself
How long is the course available after purchase?
Access to the course is valid for 1 year starting from the date of purchase. You will get access to any course updates that are pushed during this 1 year period. For any early access supporters of this course (those who purchased it prior to the 13th August 2023), you will get access to the course forever, with no expiration.
Can I get a certificate of completion?
You will be awarded a certificate automatically upon full competition of all the sections of the course.
How to ask course questions?
We have a discord community where you can ask questions. While Lina and other course instructors will try to reply to questions, a reply is not guaranteed.