Azure intrusion for red teamers
4800€ | 6th to the 9th of October 2025
This 4-day course introduces participants to the fundamentals of Azure, one of the top cloud platforms, and delves into its security aspects. Tailored for red teamers, the course focuses on the tactics, techniques, and procedures (TTPs) used in cloud environments, emphasizing discretion and stealth during testing. Through hands-on exercises in simulated environments, attendees will practice Azure intrusion techniques on Entra ID, Microsoft 365, Azure resources, Azure DevOps (CI/CD), Intune, and hybrid infrastructures. They will develop the skills to identify vulnerabilities and exploit weaknesses while maintaining operational secrecy. This training provides red team professionals with the knowledge to assess cloud security effectively and discreetly.
Objectives of the training
Gain state-of-the-art exploitation skills on Azure
Exploit complex yet realistic scenarios
Bypass common security mechanisms such as MFA or PIM
Compromise CI/CD infrastructures based on Azure DevOps
Stay under the radar by analyzing event logging
Field experience from 2 red team operators
The trainer
Who will run this training?
Paul Barbé is a pentester and red team operator at Synacktiv, a French firm dedicated to offensive information security. Over the last 5 years, he has participated in a wide variety of offensive assessments, which have led him to develop an interest in cloud technologies. He shares the knowledge he has gained about these technologies by serving as a trainer for customers and student associations.
He has previously presented at Troopers, SSTIC and Pass-the-SALT.
Matthieu Barjole is the Red Team leader at Synacktiv, and has a particular interest in Azure, AWS, Linux, and CI/CD environments. He has delivered multiple training sessions to help professionals improve their skills in these areas. As a cloud enthusiast, he is dedicated to providing practical, real-world security trainings.
He has previously presented at SSTIC and Pass-the-SALT.
Syllabus
What will we do?
Entra ID
- Identities & access
- OAuth 2.0 framework and Microsoft implementation (tokens, authorization flows, scopes, applications and APIs, consent)
- Entra ID security (CAPs / MFA, PIM, authentication methods)
- Analysis of event logging
- Lab: getting started exercises on Azure portal
- Lab: Application manipulations
- Lab: Initial access (password spraying, Evilginx, discovery)
Microsoft 365
- Review of M365 services (Teams, Outlook / Exchange, SharePoint / OneDrive, OneNote / Word / Excel)
- Access management through Microsoft Graph vs. specific APIs
- Post-exploitation (secrets extraction, backdooring)
- Analysis of event logging
- Lab: Secret extraction on multiple services
- Lab: Manipulation of Exchange rules
Azure resources
- Architecture, reconnaissance and discovery
- Analysis of common resources (virtual machines, containers and registries, key vaults, app services, network topology, storage)
- Exploitation: using managed identities, identifying compromise paths
- Post-exploitation: lateral movements, secrets extractions, code execution on managed services
- Analysis of event logging
- Lab: getting started exercises on resources
- Lab: secrets extraction on containers
- Lab: post-exploitation tasks
Azure DevOps
- Architecture and access management
- Study of the implementation of CI/CD agents
- Pipeline injections: privileges escalation, backdooring, secrets extraction
- Analysis of event logging
- Lab: getting started with Azure DevOps
- Lab: pipeline injections
Intune
- Devices enrolment, relations to Entra ID and access management
- Analysis of communications between devices and Intune
- Post-exploitation: remediation scripts, applications deployment, specific tooling
- Analysis of event logging
- Lab: device enrolment
- Lab: post-exploitation tasks
Hybrid identities
- Methods to synchronize identities, analysis of the implementation of Entra Connect/Cloud Sync agents
- Lateral movements between Active Directory and Azure: AZURESSO, ADFS, cookie theft, PRT theft
- Lab: different methods to perform lateral movements
- Lab: manipulations of the Entra agents
To apply these notions, each participant will be granted access to an individual lab including multiple identities, resources and network zones, simulating a mature corporate environment. Built from our own red team experience, this lab offers a realistic scenario from external unauthenticated access to the full compromise of the organization. Finally, practical exploitation will always be with discretion in mind to defeat common monitoring capabilities.
Audience and prerequisites
This training is intended for pentesters and red teamers wishing to gain state-of-the art skills on Azure environments. No prior knowledge of Azure is required, but good networking, Windows and Unix knowledge is recommended.
Hardware requirements
- At least 100 GB of free disk space
- At least 12 GB of RAM
- Ability to plug an untrusted USB drives (relevant for corporate laptops)
Software requirements
- OS: Linux or Windows
- Virtualization: VirtualBox or VMWare Workstation Player
Provided to students
- Presentation slides
- VPN profile to access the lab
- Virtual machine to attack the lab
Other trainings
What else might interest you?
Modern Malware OPSEC & Anti-Reverse Techniques Implementation and Reversing
Silvio La Porta & Antonio Villani