Korstiaan Stam - Advanced Cloud Incident Response in Azure and Microsoft 365 - DCTLV2025

Name of Training: Advanced Cloud Incident Response in Azure and Microsoft 365
Trainer(s): Korstiaan Stam
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2,050

Course Description: 

This hands-on two-day training offers a comprehensive guide to incident response in the Microsoft cloud, covering various topics essential for handling threats and attacks. The course starts with an overview of the concepts of the Microsoft cloud that are relevant for incident response. Participants will learn how to scope an incident in the Microsoft cloud and how to leverage it to set up an incident response capability. On the first day you will be immersed in the world of Azure attacks, we cover the different phases of an attack focusing on the evidence an attack leaves and how you can identify attacks based on the available evidence. On the second day we will shift our focus to Microsoft 365. The training covers the different types of evidence available in a Microsoft 365 environment. Participants will gain an understanding of how to acquire data from a Microsoft 365 environment using multiple methods and tools, and how to parse, enrich, and analyze the Microsoft 365 Unified Audit Log (UAL). The best part of the training is that everything you learn you'll apply with hands-on labs in a CTF like environment. Additionally we have created two full attack scenarios in both Azure & M365 and you're tasked in the CTF to solve as many pieces of the puzzle as you can.

Course Outline: 

Day 1

• Course introduction

• Azure IR introduction

• Azure Terminology & Hierarchy

• Entra ID, Users, Groups & Security Principals

• Entra ID Roles

• Entra ID Hybrid setup

• Entra ID Security (Conditional Access & Identity Protection)

• Exercise 1.1 - Exploring Azure
  

• Azure & Entra Audit & Logging

• KQL for Incident Response

• KQL Introduction

• Need to know KQL commands

• Advanced KQL

• Exercise 1.2 - KQL Querying
  

• Graph API for Incident Response

• Graph API calls for IR

• Azure Attack Techniques - Part I

• Azure Attack Overview

• Reconnaissance: Internal and External

• Initial Access: Valid accounts, Password Attacks & Malicious apps

• Exercise 1.3 - Investigate Recon & Initial Access
  

• Azure Attack Techniques - Part II

• Execution Introduction & Azure RunCommand

• Execution: Virtual Machine Scripting & Automation accounts

• Execution: Function app & Cloud Shell

• Privilege Escalation: PIM & Elevated Access Toggle

• Privilege Escalation: Azure AD applications

• Persistence: Account Creation & Network Security Group Modification

• Persistence: Azure Lighthouse & Delegated Administrators

• Persistence: Cross-Tenant Synchronization & Subscription Transfers

• Persistence: Federated options

• Exercise 1.4 - Execution, Persistence & Privilege Escalation
  

• Azure Attack Techniques - Part III

• Credential Access: Tokens & Application secrets

• Credential Access: KeyVault dumping

• Exfiltration

• Azure Attack tools

• Exercise 1.5 - Credential Access, Exfiltration

• Responding to Azure attacks

• Introduction & NIST model

• Cloud Incident Response: Preparation

• Cloud Incident Response: Investigate & Contain

• Cloud Incident Response: Remediate & Recover

• Token & Session Revocation

• Azure Incident Response tools

-------------------------- End of day 1---------------------------------------------

Day 2

Microsoft 365 IR introduction

• Microsoft 365 - Forensic artefacts

• Microsoft 365 - Course introduction

• Unified Audit Log: Introduction & Advanced Auditing 

• Unified Audit Log: Structure

• Unified Audit Log: Access & Acquisition

• MailItemsAccessed

• Everything you need to know about the MailItemsAccessed Operation

• Exercise 2.1 - Exploration of the UAL

• Microsoft 365 Email Forwarding Rules

• Forensic analysis of inbox rules

• Forensic analysis of transport rules

• Forensic analysis of the Message Trace Log (MTL)

• Microsoft 365 Attack Techniques - Part I

• Microsoft 365 Attacks Overview

• Initial Access: Phishing

• Initial Access: MiTM & AiTM attacks

• Microsoft 365 Attack Techniques - Part II

• Execution: API calls & PowerShell

• Persistence & Privilege Escalation: Account manipulation

• Persistence & Privilege Escalation: Account Creation & MFA registration

• Microsoft 365 Attack Techniques - Part III

• Collection & Exfiltration: eDiscovery & Content search

• Collection & Exfiltration: Power Automate abuse

• Exercise - Compromise of an email account

• Microsoft 365 Attack tools

• Access Token abuse 

• Access Token abuse & Family Of Client IDs (FOCI)

• Exercise - Extracting & Manipulating tokens (Live Lab)

• Microsoft 365 Anti-Forensic techniques

• Microsoft 365 IR Tools & Techniques

• Microsoft Extractor Suite

• Hawk

• Untitled Goose Tool

• Microsoft Defender for Cloud Apps

• Exercise - Using the Microsoft Extractor Suite

• Best practices for remediation and recovery in Microsoft 365

• Remediation & Recovery - Walkthrough

• Bonus exercises:

• Investigating OAuth apps

• Investigation of a malicious Function (Live Lab)

• Investigation of a suspicious automation account (Live Lab)

• CTF Time

• Azure CTF

• Microsoft CTF

-------------------------- End of day 2---------------------------------------------

Difficulty Level:

Intermediate/Advanced

Suggested Prerequisites:

Experience in the Microsoft cloud will prove very useful to be able to keep up. Experience with PowerShell and/or KQL is not required but will help you to gain even more from the training. You must also not be afraid of the command-line interface as this will be a hands-on training and not everything will be in the GUI.

What Students Should Bring: 

Important: You only have to bring your laptop with a browser and we will provide you with access to the cloud tenants and investigation data.

Trainer(s) Bio:

Korstiaan Stam is the Founder and CEO of Invictus Incident Response & SANS Trainer - FOR509: Cloud Forensics and Incident Response. Korstiaan is a passionate incident responder, preferably in the cloud. He developed and contributed to many open-source tools related to cloud incident response. Korstiaan has gained a lot of knowledge and skills over the years which he is keen to share.  

Way before the cloud became a hot topic, Korstiaan was already researching it from a forensics perspective. “Because I took this approach I have an advantage, because I simply spent more time in the cloud than others. More so, because I have my own IR consultancy company, I spent a lot of time in the cloud investigating malicious behavior, so I don’t just know one cloud platform, but I have knowledge about all of them.” That equips him to help students with the challenge of every cloud working slightly or completely different. “If you understand the main concepts, you can then see that there’s also a similarity among all the clouds. That is why I start with the big picture in my classes and then zoom in on the details. Korstiaan also uses real-life examples from his work to discuss challenges he’s faced with students to relate with their day-to-day work. “To me, teaching not only means sharing my knowledge on a topic, but also applying real-life implications of that knowledge. I always try to combine the theory with the everyday practice so students can see why it’s important to understand certain concepts and how the newly founded knowledge can be applied.”

Registration Terms and Conditions: 

Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.

Trainings are non-refundable after July 8, 2025.

Training tickets may be transferred. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.