10. Meer informatie
Voor degenen die geïnteresseerd zijn in het leren van Azure-beveiliging en penetratietesten, is hier een lijst met relevante bronnen:
Training
[Training - Slide Deck] Microsoft Security Training Path A high-level resource provided by Microsoft follow their training paths https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4J4Mm
[Training - Live Sessions] [FREE] Microsoft Security Training Days Explore free, in-depth training from Microsoft Learn to learn how to detect threats, help keep hybrid clouds secure, safeguard information, and manage your digital security need https://events.microsoft.com/en-us/mvtd-security
[Training - Slide Deck] [FREE] Getting Started in Pentesting the Cloud: Azure Beau Bullock’s guide to starting Azure Pentesting https://www.blackhillsinfosec.com/wp-content/uploads/2022/07/SLIDES_GettingStartedinPentestingtheCloud-Azure.pdf
[Training] [Paid] Antisyphon Training - Breaching the Cloud with Beau Bullock Walks through a complete penetration testing methodology of cloud-based infrastructure on AWS, Azure, and GCP https://www.antisyphontraining.com/on-demand-courses/breaching-the-cloud-w-beau-bullock/ https://www.antisyphontraining.com/live-courses-catalog/breaching-the-cloud-beau-bullock/
[Training] [Free tier + Paid] Cloud Academy - Azure Database for learning paths, courses, quizzes, and labs, to learn Microsoft Azure https://cloudacademy.com/library/azure/
[Training] [Paid] INE - Azure Pentesting This on-demand course is intended for IT and security professionals who want to apply the most common attacks and security pitfalls in order to compromise an Azure Tenant https://ine.com/learning/courses/azure-pentesting
[Training] [Paid] Altered Security \ Attacking and Defending Azure https://www.alteredsecurity.com/azureadlab
[Training [Paid] Altered Security Azure Application Security https://www.alteredsecurity.com/azureappsec
Resources, Research & Reading
[Resource + Toolsheet] [FREE] Kyuu-Ji - Awesome-Azure-Pentest A curated list of useful tools and resources for penetration testing and securing Azure https://github.com/Kyuu-Ji/Awesome-Azure-Pentest
[Resource + Cheatsheet] [FREE] PayloadsAllTheThings - Azure Cloud Azure Command Cheat Sheet https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-access-and-token/
[Resource + Wiki] [FREE] HackTricks Cloud Azure Pentester/Red Team Methodology https://cloud.hacktricks.xyz/pentesting-cloud/azure-security
[Resource + Wiki] [FREE] Hacking The Cloud - Azure encyclopedia of the attacks/tactics/techniques that offensive security professionals can use on their next cloud exploitation adventure https://hackingthe.cloud/azure/abusing-managed-identities/
[Resource] [FREE] Microsoft Logon Portals Community driven project to list all of Microsoft’s portals in one place https://msportals.io/
[Resource + Repo] [FREE] Azure Red Team List of azure pentesting and red teaming resources and commands https://github.com/rootsecdev/Azure-Red-Team
[Reading] [FREE] ZeroSec - Azure Attack Paths: Common Findings and Fixes (Part 1) A walk through of various services within the Azure catalog and look at potential attack paths https://blog.zsec.uk/azure-fundamentals-pt1/
[Reading] [Paid] Penetration Testing Azure for Ethical Hackers Book and supplementary training materials https://www.packtpub.com/product/penetration-testing-azure-for-ethical-hackers/9781839212932 https://github.com/PacktPublishing/Penetration-Testing-Azure-for-Ethical-Hackers?tab=readme-ov-file
[Reading] [FREE] Andy Robins - Spectre Ops Azure Privilege Escalation via Azure API Permissions Abuse Azure Privilege Escalation via Service Principal Abuse https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48 https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
[Resource] [FREE] Azure Threat Research Matrix Educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs) https://microsoft.github.io/Azure-Threat-Research-Matrix/
[Reading] [FREE] Becoming an Azure Cloud ethical hacker Blog post outlines steps and resources https://rootsecdev.medium.com/becoming-an-azure-cloud-ethical-hacker-2022-edition-49de0836e7f1
Labs
[Lab] [FREE] Microsoft Azure - Free Trial Explore free Azure services. See which services offer free monthly amounts, and explore https://azure.microsoft.com/en-us/pricing/free-services/
[Lab] [FREE] Mandiant - Azure Red Team Attack and Detect Workshop A vulnerable-by-design Azure lab containing 2 x attack paths with common misconfigurations https://github.com/mandiant/Azure_Workshop
[Lab] [FREE] INE - AzureGoat An intentionally vulnerable Azure infrastructure https://github.com/ine-labs/AzureGoat
[Lab + Building] [FREE] Kamran Bilgrami - Ethical Hacking Lessons Building Free Active Directory Lab in Azure https://kamran-bilgrami.medium.com/ethical-hacking-lessons-building-free-active-directory-lab-in-azure-6c67a7eddd7f
[Lab] [Free tier] + [Paid] Pwnedlabs Real-world, byte sized cloud security labs for training https://pwnedlabs.io/
[Lab] [FREE] PurpleCloud Terraform code generator to create different Azure security labs https://github.com/iknowjason/PurpleCloud https://www.purplecloud.network/
[Lab] [FREE] Appsecco - Breaking and Pwning Apps and Servers on AWS and Azure Free Training Courseware and Labs https://github.com/appsecco/breaking-and-pwning-apps-and-servers-aws-azure-training
[Lab] [Paid] Pluralsight - Lars’ cloud playlist: Hands-on labs for Azure fundamentals Get real-life experience with Microsoft Azure. These hands-on labs are designed to help novices explore the fundamental cloud services of Microsoft Azure https://www.pluralsight.com/resources/blog/cloud/lars-cloud-playlist-hands-on-labs-for-azure-fundamentals
[Lab] [Paid] Hack the Box - Black Sky - Cyclone Enterprise only cloud penetration testing labs https://www.hackthebox.com/business/professional-labs/cloud-labs-blacksky
Certifications
[Certification - Path] [FREE] Microsoft Certification Poster Visual representation of Microsoft certs available and their applicable categories https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2PjDI
[Certification - Intro Level] [Paid] SC-900 \ Microsoft Security, Compliance, and Identity Fundamentals https://learn.microsoft.com/en-us/credentials/certifications/exams/sc-900/
[Certification - Intro Level] [Paid] AZ-900 Microsoft Azure Fundamentals https://learn.microsoft.com/en-us/credentials/certifications/exams/az-900/
[Certification] [Paid] AZ-500 Microsoft Azure Security Technologies https://learn.microsoft.com/en-us/credentials/certifications/exams/az-500/
[Certification] [Paid] Altered Security - Certified Azure Red Team Professional (CARTP) Improve your skills in Azure cloud security, Azure Pentesting and Red teaming https://www.alteredsecurity.com/azureadlab
[Certification] [Paid] Altered Security - Certified Azure Web Application Security Professional (CAWASP) Level up your skills in securing and assessing modern applications hosted in Azure https://www.alteredsecurity.com/azureappsec
[Certification] [Paid] Cyberwarfare - Azure Cloud Red Team Specialist (CAzRTS) Coming Soon https://cyberwarfare.live/product/azure-cloud-red-team-specialist-cazrts/
Azure Tools
[Tool] [FREE] Soteria - Azure Inspect PowerShell script that automates the security assessment of Microsoft Azure environments https://github.com/soteria-security/AzureInspect
[Tool + Install list] [FREE] Azure-Pentest-Toolkit This repository contains a framework of curated Azure penetration testing tools https://github.com/cr4ck3rj4ck5/Azure-Pentest-Toolkit
[Tool] [FREE] Azure - Stormspotter Stormspotter creates an “attack graph” of the resources in an Azure subscription https://github.com/Azure/Stormspotter
[Tool] [FREE] Hausec - PowerZure Framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources https://github.com/hausec/PowerZure
[Tool] [FREE] BloodhoundAD - AzureHound The official tool for collecting Azure data for BloodHound and BloodHound Enterprise https://github.com/BloodHoundAD/AzureHound
[Tool - Vuln Scan] [FREE] ScoutSuite Multi-cloud security-auditing tool https://github.com/nccgroup/ScoutSuite
[Tool - Vuln Scan] [FREE] Prowler Perform Multi-Cloud best practice assessments https://github.com/prowler-cloud/prowler
[Tool] [Free tier] + [Paid] grayhatwarfare Bucket Filter - Azure Blobs Search Public Blobs https://buckets.grayhatwarfare.com/buckets?type=azure
M365 + Entra ID (Azure AD) Tools
[Tool] [FREE] + [Enterprise] Soteria - 365Inspect PowerShell script that automates the security assessment of Microsoft Office 365 environments. https://github.com/soteria-security/365Inspect
[Tool] [FREE] Crowdstrike - CrowdStrike Reporting Tool for Azure This tool queries the following configurations in the Azure AD/O365 tenant https://github.com/CrowdStrike/CRT
[Tool] [FREE] Invictus - Microsoft-Extractor-Suite Powershell tool designed to streamline the process of collecting all necessary data and information from various sources within Microsoft https://github.com/invictus-ir/Microsoft-Extractor-Suite
[Tool] [FREE] Dirkjanm - RoadTools ROADtools is a framework to interact with Azure AD https://github.com/dirkjanm/ROADtools https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/
[Tool] [FREE] Graph X-Ray Lets you view the Graph API and PowerShell log of actions taken in the Azure Active Directory and Intune portal https://graphxray.merill.net/
[Tool] [FREE] Microsoft Graph Explorer Use the Microsoft Graph REST API to build apps that access, analyze, and augment data from Microsoft 365 https://developer.microsoft.com/en-us/graph/graph-explorer
Videos
[Video + Playlist] [Free] - Tyler Rambsey - Azure Pentesting Video playlist of Pwndlabs.io Azure Pentesting https://www.youtube.com/playlist?list=PLMoaZm9nyKaMG35DVS8Ide7hoDb3T_d1l
[Video] [FREE] Black Hills Information Security Getting Started in Pentesting The Cloud–Azure | Beau Bullock | 1-Hour https://www.youtube.com/watch?v=u_3cV0pzptY&ab_channel=BlackHillsInformationSecurity
[Video] [FREE] Leveraging Azure Resource Graph for Good and for Evil - Darwin Salazar Azure Resource Graph (ARG) and Kusto Query Language (KQL) Kung Fu https://www.youtube.com/watch?v=VjMj3KH1VtM&ab_channel=fwd%3Acloudsec
[Video] [FREE] Cloud Security Podcast - Azure Cloud Security Pentesting Skills Author of Penetration Testing Azure for Ethical Hacker shares information on Azure pentesting https://www.youtube.com/watch?v=nmBP8KcrPI8&ab_channel=CloudSecurityPodcast
** Operating Systems***
[OS] [FREE] Commando VM Windows-based security distribution for penetration testing and red teaming https://github.com/mandiant/commando-vm
Last updated