2023 archived version go to current version

Offensive Azure AD and hybrid AD security

4200€ | 9th to the 12th of October 2023 | Espace Vinci, Rue des Jeuneurs, Paris, France

In the past few years, many companies have adopted Azure AD as an identity platform for their cloud services, often using their existing on-prem AD in a hybrid setup. Azure AD is vastly different from on-premises AD and requires a different security approach to either attack or defend.

This training explains how organizations use Azure AD to manage modern cloud-based or hybrid environments and what security challenges this brings. It is the result of many years of research into the protocols and internals of Azure AD. The training will give you the knowledge to analyze, attack, and secure Azure AD and hybrid setups from modern attacks.

The training is technical and deep-dives into core protocols such as OAuth2 and application concepts. It includes many hands-on exercises and labs, set up as challenges, to gain access to accounts and elevate privileges.


Objectives of the training

Learn how modern enterprise and identity administration works with Azure AD;

Understand how Azure AD is secured, what common pitfalls are present and what privilege escalation methods exist.

Learn what techniques threat actors can use to breach Azure AD and how these techniques work on a technical level.

How hybrid environments are commonly set up and how can attackers move laterally between AD and Azure AD.

The trainer

Who will run this training?

Dirk-jan
Mollema

Outsider Security
@_dirkjan

Dirk-jan Mollema is a hacker and researcher of Active Directory and Azure AD security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years.

He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and has been awarded as one of Microsoft’s Most Valuable Researchers multiple times.

Syllabus

What will we do?

In the last years, more and more companies adopted Azure AD as an identity platform for their cloud
services, often using their existing on-prem AD as a source for a hybrid setup. As a red teamer,
penetration tester, or security architect, you are probably familiar with Active Directory security
concepts. Azure AD is vastly different and is built around different concepts and protocols.

This training explains how organizations use Azure AD to manage modern cloud-based or hybrid
environments and what security challenges this brings. It is the result of many years of research into
the protocols and internals of Azure AD. It will give you the knowledge to analyze, attack, and secure
Azure AD and hybrid setups from modern attacks. The training is technical and deep-dives into core
protocols such as OAuth2 and application concepts. It includes many hands-on exercises and labs,
set up as challenges, to gain access to accounts and elevate privileges.

The training covers the following topics:

  • Introduction into Azure AD and its role in the broader Azure ecosystems
  • The Azure AD cloud-only way of working and managing endpoints
  • Azure AD identities - users, apps and devices
  • Azure AD roles, privileges and privileged security model
  • Azure AD data interfaces and tools
  • Azure AD application concepts, privilege model and OAuth2
  • Azure AD application abuse and vulnerabilities
  • Hybrid Azure AD environments, integration types and lateral movement
  • Conditional access - policy types, bypasses and best practices
  • Primary Refresh Tokens and their abuse
  • Azure AD device internals and security

The training focuses on Azure AD’s use as an identity platform. The training does not cover Azure
Resource manager abuses, except the parts where it intersects with Azure AD. While a range of
(open source) tools are used during the training, the goal is to provide understanding of the inner
workings, not just on knowing how to run tools.

Outline

  • Introduction

    • What is Azure, differences between Azure IaaS, Azure AD and Microsoft 365
    • Terminology, components and their connection
    • The modern Microsoft workplace way of working
    • Identities: users, groups and devices
  • Azure AD components – Administrator roles and privileges

    • Different roles and role types
    • Privilege separation per role
    • Privilege escalation in Azure AD
  • Azure AD components – data interfaces

    • Data gathering in Azure AD
    • Portal, API, PowerShell modules and the differences
  • Azure AD components – applications

    • Apps and how they work
    • Privilege model
    • Apps and Oauth2 principles
    • Breaking and securing applications
  • Hybrid environments

    • Different integration types with on-premises AD
    • Access paths to the cloud from on-prem
    • Azure AD connect abuse
  • Identity security – Conditional Access

    • CA policies and settings
    • CA best practices and bypasses
  • Primary refresh tokens and device identity

    • Interacting with primary refresh tokens via SSO
    • Stealing and using primary refresh tokens for lateral movement
    • Using device identities to comply with conditional access policies

Student Requirements

This course is meant for people with existing experience in Windows and AD security. While the
course explains Azure AD concepts without requiring prior knowledge, general knowledge of HTTP
protocols, REST APIs, command line tools and other basic offensive techniques are required for the
labs. The hybrid labs assume prior knowledge of common Active Directory attack techniques, since
the focus is on Azure AD and not on the on-premises Active Directory attack techniques.

What Students Should Bring

Students will need a laptop with either a Windows or Linux based Virtual Machine on which they can
install tools and programs. A VPN connection to an online lab will be provided, this requires
unfiltered internet access from the VM and/or laptop. Note that some tools run only on Windows,
and do not function on Windows on ARM, bringing a laptop with an x64 processor and a Windows
VM is recommended.

Other trainings

What else might interest you?

Attacking Instant Messaging Applications

Vectorize (Nitay Artenstein & Iddo Eldor & Jacob Bech)

Attacking the Linux Kernel

Andrey Konovalov

Binary Literacy 2: Static Analysis of C++ with Hex-Rays

Rolf Rolles

iOS for Security Engineers

Victor Cutillas & Etienne Helluy-Lafont

Practical Baseband Exploitation

Vectorize (Pedro Ribeiro & Seamus Burke)

Software Deobfuscation Techniques

Tim Blazytko

Windows Internals for Security Engineers

Yarden Shafir