Becoming an Azure Cloud ethical hacker (2022 edition)
It’s my second week back to my home office from being out at Blackhat in Las Vegas all week and I was approached by a handful of people on how does one break into cloud penetration testing?
The short answer is it is not as straight forward as it should be. One primary ingredient is to start understanding Azure/M365 operations from a blue team perspective. That is how my background started several years ago. I did things a little backwards where I had been taking care of Azure environments since 2014. It really started out with Microsoft 365 at first but then I pivoted into supporting Azure Active Directory when I was taking care of Active Directory Domain Services environments. I didn’t start getting certified in Azure until 2019. (I waited to long and should have done it earlier to showcase my skill sets)
Anyone wanting to get into the Azure pentesting space and understand it should do a little bit of blue first. Then go red. It will be easier to understand the concepts of attacking azure once you are familiar with how Azure Active Directory works. Here is my order and a list of resources on how anyone should get started.
- Sign up for a M365 Developer account.
Its free. Use the link below:
When you sign up make sure you use a personal address. You will get 25 E5 licenses. (Reminder: These are dev licenses. Don’t use them like you would in a production environment. Microsoft is generous enough to have this program. Use it wisely and for your education) Once you are signed up and you follow the wizard on setting up your Azure tenant. You should be good to proceed to step 2. Its important to setup your lab first. So don’t skip this step.
2. Skill up on the fundamentals first!
Its completely free to learn Azure Fundamentals and you will earn a free exam attempt that you can take in the comfort of your home with Microsoft Virtual Training Days. You should have a dev tenant stood up at this point which will allow you to explore Azure while you are learning key core concepts in the fundamentals training course.
Learning the fundamentals may not be the most fun thing you will do in the Azure space but its very important to get a firm grasp on Azure core concepts before diving into other concepts in Azure and M365.
Once you successfully pass Azure fundamentals, I would pivot over to Microsoft 365 Fundamentals. While there is no free certification on this through Microsoft Virtual Training Days there is online training that is absolutely free with the link below (Certification is $99):
This will teach you all the core concepts on M365 including how licensing works.
3. Learn how Hybrid works.
Microsoft provides free online training for hybrid as well. This will teach you things such as how on premises active directory identities get synced to the Azure Active Directory cloud. Its also very fundamental to learn how this whole process works. I would encourage anyone to set up a virtual lab environment and deploy an evaluation of Server 2022 with ADDS services, and azure active directory connect. You will learn a lot from doing so.
Hopefully by now you have a good understanding of how Azure and M365 is laid out and how identities in Active Directory operate in the cloud. Once you have completed these first three sections you should be ready to move on to Azure/M365 security.
4. Learning about M365 Security
The MS500 is what I would start out with in M365 Security. You will learn alot on securing azure identities, implementing threat protection, and M365 governance.
This is one of the first courses I got certified in while I attended Microsoft Ignite. I passed it with a day or two of studying. I was extremely familiar with several of the concepts already and found it to be an easy pass. If you are new to M365 and how it works in Azure your preparation could take longer.
5. Buckle up and do some Azure Security Engineering!
The AZ-500 is by far one of the most difficult exams that I’ve ever taken (next to the OSCP). I passed it a little over a year ago and it took me about a month and a half to prepare for it. While doing all the Microsoft Learn modules is free, I highly recommend you work on securing some of the workloads mentioned in the AZ-500 in a actual azure tenant. (Yes, deploying workloads does cost money) When you did step 1 by signing up for an M365 developer subscription. You should have the opportunity to get $200 in azure credits when you create an account. I’m unsure if Microsoft still offers the credits, but if they do I would not let them go to waste.
I did find it helpful to develop Azure skills through an MSDN account. If your company has MSDN offerings, I highly suggest requesting one. Professional accounts will give you $50 monthly in azure credit. Enterprise MSDN accounts will give you $150 monthly azure credits. One important thing I would mention is make sure in your MSDN subscription that you set up a secondary account and set it to the global admin email address in your azure dev tenant. You usually have to wait a day after doing this, but you should be able to activate the azure credits to your dev tenant. If I did not have an MSDN subscription I would not be able to constantly learn things in Azure as I have been.
6. Become a Ninja and learn to log like a lumberjack with Azure Sentinel
I humbly believe every penetration tester and red teamer should be doing Azure Sentinel and Defender for Cloud in your dev tenants. Knowing how detections work against the attacks you are performing will make you very effective with your cloud offensive skillset. Knowing what does and does not get detected can make a large impact against an enterprise organization.
7. More Ninja Training! All Free
8. Microsoft Rules of Engagement (When you go out into the wild and on your own)
Its highly important that you follow Microsoft’s rules of engagement and know what is in versus out of scope when testing azure. In other words don’t get yourself into trouble by doing something that is not within the bounds of Microsoft’s ROE.
This is also a decent overview of Penetration Tests and Red Team exercises for cloud. It contains a nice document on Enterprise Cloud red teaming and does a good job at explaining methodology and differences between pentesting and red teaming in the cloud.
9. Educate yourself with some TTP’s.
Microsoft recently released the Azure Threat Research Matrix. This is an excellent resource to get familiar with TTP’s during each phase of a cloud penetration test.
Below is a link on Mitre Att&ck framework covering cloud based attacks.
10. Azure Pentesting Resources. Finally lets Pwn!
So can you skip 2 thru 8and come here…you may struggle over some of the pentesting material especially if you have never used azure before. That is why I think its better to start off knowing sysadmin/blueteam operations before switching over into this space. You will be able to absorb the material faster and you will understand the concepts better.
With that being said one of the best books on Azure pentesting with hands on lab is a book written by David Okeyode and Karl Fosaaen. Its a fantastic read and the lab scripts are excellent.
SANS Microsoft Azure Workshop (On Demand)
I personally have not taken this yet but I’ve downloaded the vm and fully intend on doing the labs contained within the VM. Free SANS workshops in my opinion have always contained stellar content.
More workshops worth mentioning
Mandiant Azure Workshop
INE-LABS
Purple Cloud
Closing
I really hope this helps people out that want to get into the cloud pentesting space or at minimum giving enough resources at your disposal if you want to get into Azure cloud security.
