# README

29 Learning Objectives, 72 Tasks > 115 hours of learning

{% @mailchimp/mailchimpSubscribe %}

<figure><img src="https://1816481444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fsb44uNPdV1GyQegbwAn9%2Fuploads%2FVkVCIBK9Fnqw1i7Qdl80%2Fimage.png?alt=media&#x26;token=82b4e76f-a722-4ba8-95ea-b82050787bb1" alt=""><figcaption></figcaption></figure>

{% embed url="<https://azredlabs.enterprisesecurity.io/>" %}

{% hint style="danger" %}

```
Contact me on LinkedIn : https://cli-ck.me/rfs
```

{% endhint %}

{% @mailchimp/mailchimpSubscribe %}

### **Module I: - Introduction**

* Learn about Azure services & Azure AD components.
* Gain understanding about the Service Models supported by Azure & Azure Architecture.
* Learn the process of discovering & enumerating Azure & Azure AD resources.
* Learn about the access control mechanism supported by Azure for granting privileges to the end users.

### Module II: - Applications (App Services, APIs)

* Understand about the Application services that are offered by Azure.
* Gain deep understanding about App Service and its environment.
* Understand how to deploy code in App Service and understand about various configuration options that can be applied for any application leveraging App Service.
* Understand about the management portal of App Service.
* Learn how to exploit web application vulnerabilities and extract information from the applications hosted on App Service.
* Learn about various Rest API endpoints that are offered by Azure for managing various service.

### **Module III: - Authentication & Authorization**

* Deep dive into OAuth, Authentication and Authorization process.
* Gain understanding about JTW tokens and the type of tokens that are supported by Azure like ID Token, Access Token, Refresh Token.
* Understand about Managed Identity and the process to enumerate and request access token.

### **Module IV: - Azure WAF**

* Learn about Web Application Firewall.
* Learn about the services such as Application Gateway, Front Door, CDN that are offered by Azure which supports WAF.
* Gain the understand of the process that can be followed to bypass WAF.

### **Module V: - App Registrations, Enterprise Apps & Conditional Access Policy**

* Learn and explore App Registration and Enterprise App components offered by Azure AD.
* Understand how Illicit Consent Grant Attacks works and learn to write a simple function app that can allow us to capture the token information and save the same in table storage.
* Learn about Microsoft Graph API and ways to abuse misconfigure permissions.
* Learn about Conditional Access Policies and how it can help us in restricting the users from gaining access to the resources.

### **Module VI: - Function Apps**

* Understand what are Function Apps, how it is deployed in Azure and the functionality.
* Gain understanding of stateful Function App feature known as Durable Function Apps.
* Learn how to exploit vulnerability in Function App and extract information.
* Learn ways to read the source code or create a new function in the Function App by leveraging Master Key.

### Module VII: - Key Vaults

* Learn and understand about Key Vaults and its Rest API endpoints.
* Understand Access Controls methods that Key Vault supports
* Understand the need of using recover policies.
* Learn how to leverage various RBAC roles and Key Vault access policies to extract the secrets and decrypted the encrypted values.

### **Module VIII: - Storage Accounts**

* Learn and understand about Storage Accounts, Types of storage services.
* Understand about various Access Control methods such as AAD User, Shared Key, Shared Access Signature, Connection String.
* Learn how to leverage various options to gain access to the Storage account.

### **Module IX: - Databases**

* Learn about various Database services offered by Azure such as Cosmos DB, Azure SQL, PostgreSQL, MySQL/MariaDB.
* Understand the benefits of using specific Database services.
* Understand the ways to gain access to Cosmos DB account and extract information.

### Module X: - Application Proxy & Azure API Management

* Learn about Application Proxy and its Components.
* Understand the authentication workflow of the Application Proxy.
* Learn about Azure API Management service and understand how it can help us to protect and restrict the APIs.

### Module XI: - Microsoft Defender for Cloud & Microsoft Defender for Cloud Apps

* Gain understanding of Microsoft Defender for Cloud Apps solution, Architecture and features.
* Gain understanding of what is Microsoft Defender for Cloud, how it can help us to secure the infrastructure.
* Learn about various alerts that can be triggered if it is integrated with App Service.

### Module XII: - Defense

* Learn about approach that can be followed to secure/protect various resources hosted in Azure.