Skip to main content
    CONTACT

    This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.
    Altered Security - Azure Cloud Attacks for Red & Blue Teams - Advanced Edition - DCTLV2025
    Altered Security - Azure Cloud Attacks for Red & Blue Teams - Advanced Edition - DCTLV2025

    Altered Security - Azure Cloud Attacks for Red & Blue Teams - Advanced Edition - DCTLV2025

    Las Vegas 2025

    Name of Training: Azure Cloud Attacks for Red and Blue Teams - Advanced Edition
    Trainer(s): Altered Security
    Dates: August 11-12, 2025
    Time: 8:00 am to 5:00 pm PT
    Venue: Las Vegas Convention Center
    Cost: $2,200

    Course Description: 

    Azure and Entra ID are widely used by enterprises for a variety of purposes. There is a huge offering of services across various categories in Azure - Identity, Compute, Networking, Storage, Databases, Analytics, Security and many more.

    Azure, like any other cloud, changes rapidly and Microsoft keeps adding new defenses both as improvements and new security service offerings.
    This advanced class is designed to help security professionals to understand, analyze and practice attacks in an enterprise-like live multi-tenant Azure environment that has effective security controls in place.

    Non-exhaustive list of topics:
    - Introduction to attack methodology and tools
    - Microsoft Identity Platform 
    - Understanding Authorization grant flow and Device code Phishing 
    - Dynamic Device Code Phishing
    - Understanding and abusing Family of Client IDs (FOCI)
    - Abusing minimal privileges for signing JWT assertions
    - Executing attacks across tenants using Cross-tenant access settings
    - Abusing Privileged Identity Management (PIM) role assignments
    - Abusing GitHub actions
    - Cloud to on-prem lateral movement - Abusing Microsoft Entra Kerberos
    - Token extraction from applications
    - Setting up custom Azure infrastructure for Illicit Consent Grant
    - Understand Azure Lighthouse and Abuse service provider permissions
    - Cloud to on-prem lateral movement - Abusing Arc-enabled servers and extensions
    - Bypassing Defenses like MFA (Authentication Strength, Phishing-resistant and more)
    - Evading Conditional Access Policies and Continuous Access Evaluation

    You get two months access to a live Azure lab environment containing multiple tenants during and after the class and an attempt to Certified by AlteredSecurity Red Team Expert for Azure (CARTE) certification.

    Course Outline: 

    Day 1 

    • Introduction to attack methodology and tools

      • Microsoft Identity Platform

      • Introduction to OAuth

      •  Microsoft Graph

    • Initial Access - Device Code Phishing

      • Executing device code phishing manually

      • Tools for device code phishing

      • Initial Access - Dynamic Device Code Phishing

      • Setting up custom Azure infrastructure for dynamic device code phishing

    • Privilege Escalation - Understanding and abusing Family of Client IDs (FOCI)

    • Defense Evasion - Evading MFA

    • Defenses against Device Code Phishing

    • Privilege escalation - Abusing Key vault actions for signing JWT Assertions

    • Privilege escalation - Abusing Attributed-based Access Control (ABAC

    •  Privilege escalation - Abusing application permissions

    • MFA Evasion (Exclusions in Conditional Access Policies)

    • Defense evasion - Understanding and abusing Temporary Access Pass (TAP)

    • Lateral movement - Executing attacks across tenants using Cross-tenant access settings.

    • Defense evasion and privilege escalation - Abusing Privileged Identity Management (PIM) role assignments.

    • MFA bypass for PIM role activation

    • Initial Access - Abuse of mutable claims in applications

    • Defense against claims abuse

    • Understand Logic apps and their abuse for privilege escalation

    • Cross tenant movement by abusing B2B collaboration

    • Cloud to on-prem lateral movement - Abusing cloud sync

    • Persistence - Abusing the cloud sync service account

    Day 2

    • Initial access - Abusing GitHub actions

    • Enumeration - Authentication strength and conditional access

    • Defense evasion - Evade phishing-resistant MFA

    • Data mining - Token extraction from office apps using multiple methods

    • Understanding Microsoft Entra Kerberos and Azure File Shares

    • Cloud to on-prem lateral movement - Abusing Microsoft Entra Kerberos

    • Initial Access - Illicit Consent Grant

      • Setting up custom Azure infrastructure for Illicit Consent Grant

    • Defense against Illicit Consent Grant

    • Defense Evasion - Evade conditional access, CAE and MFA

    • Initial Access - Attacker in The Middle phishing

    • Privilege Escalation - Session Cookie Replay

    • Defense evasion - Bypass MFA

    • Understanding Cloud Service Providers and Partners in Azure

    • Understanding Azure Lighthouse

    • Privilege Escalation - Abuse service provider permissions

    • Understanding Azure Arc

    • Cloud to on-prem lateral movement - Abusing Arc-enabled servers and extensions

    • Defense against Arc-enabled servers

    • Understanding SQL Servers in Azure Arc and Azure SQL Database

    • On-Prem to cloud lateral movement - Abusing Linked Servers

    • Privilege Escalation - Abusing SAML SSO to access enterprise applications as other users

    Difficulty Level:

    Advanced

    Suggested Prerequisites:

    • Good understanding of Azure and Entra ID
    • Good understanding of Azure Red Teaming

    What Students Should Bring: 

    • System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.

    • Privileges to disable/change any antivirus or firewall.

    Trainer(s) Bio:

    Keanu is an information security researcher from Belgium with several years of hands-on experience performing penetration tests and red team assessments for organizations, and currently leads an offensive security team. While he has a passion for all offensive cybersecurity topics, he mostly specializes in Active Directory, Azure AD and Social Engineering.

    He has presented at security conferences such as BruCon, and is the author of the Microsoft 365 and Entra attacking toolkit GraphSpy. He is an instructor for various Azure Red Teaming courses with Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/ 

    Registration Terms and Conditions: 

    Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.

    Trainings are non-refundable after July 8, 2025.

    Training tickets may be transferred. Please email us at training@defcon.org for specifics.

    If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

    Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.

    By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

    Several breaks will be included throughout the day. Please note that food is not included.

    All courses come with a certificate of completion, contingent upon attendance at all course sessions.

    $2,000.00
    $2,200.00
    DEF CON Communications, inc.

    1100 Bellevue way NE

    8A-85

    Bellevue, WA 98004

    Powered by Shopify