VulnCon Logo
Chirag Savla
Senior Cloud Security Engineer, White Knight Labs
Raunak Parmar
Senior Cloud Security Engineer, White Knight Labs

Name of Traning:

Offensive Azure Operations & Tactics

A full description of the training:

This comprehensive Offensive Azure Operation & Tactics course provides a deep dive into Azure's infrastructure and security landscape. Participants will explore various modules covering essential components such as Azure infrastructure understanding, enumeration techniques, initial access strategies including phishing methods, abusing reader roles, misconfigurations, and exploiting Azure services. The course extends into post-exploitation techniques, pivoting between cloud and on-premises environments, compromising Azure Kubernetes Service (AKS), devices using Microsoft Intune, Entra ID Connect features, leveraging Azure services for persistence, conducting Azure configuration assessments, and utilizing automation tools for security checks. This hands-on course equips participants with practical insights and skills crucial for identifying and exploiting Azure components.


  • Acquire practical skills in attacking Azure Cloud through hands-on experience.
  • Learning several ways to gain initial access and abusing Azure Services
  • Understanding the hybrid infrastructure and abusing the relationship between Cloud and On-prem

Outline of the Class

Day 1:

Introduction to Azure/Entra ID

  • Entra ID Components
  • Azure Services
  • Azure Intune
  • Office/Microsoft 365
  • Authentication & Authorization Methods
  • Maze of Azure Tokens

Azure Access Controls

  • Role Base Access Control
  • Attribute Base Access Control
  • Management Plane & Data Plane
  • Key Vault Access Policy

Enumeration Approach

  • Unauthenticated & Authenticated Enumeration
  • Automated Enumeration
  • Manual Approach with Custom Scripts
  • Glimpse of Security Controls

Gaining Initial Foothold

  • Phishing Techniques
  • Exposed Services
    • Storage Accounts
    • Function Apps
    • App Service
    • Logic Apps
    • K8s
  • Exposed Credentials
  • Password Spray Attacks

Post Exploitation & Lateral Movement Approach

  • Abusing Services
    • Hijacking Function Apps
    • Hunting for sensitive information
    • Hijacking Cloud Shell
    • App Services, Key Vault, Logic Apps, ACR, K8s etc
  • Abusing Managed Identity
  • Token Exchange
  • Microsoft Intune

Day 2:

Entra ID Misconfiguration

  • Shadow Admin
  • Enterprise Apps/App Registrations
    • Graph Permission
    • Owner/Members
  • Conditional Access Policy
  • Dynamic Groups
  • Guest Users
  • Authentication Methods

Pivoting From Cloud to On-prem

  • Automation Account
  • ARC
  • Hybrid Connection (Relay)
  • Intune
  • Application Proxy

Pivoting from On-prem to Cloud

  • Entra ID Connect
  • SSO
  • Stealing PRT

Maintaining persistence

  • Service Principal
  • Automation Accounts
  • ARC
  • Hybrid Connections

Configuration Assessment

  • CSI Benchmarks
    • Automated Tools
      • Open Source
      • Commercial


Basic understanding of cloud technology and penetration testing, along with familiarity in using PowerShell, Python and the Azure CLI.

Lab Requirements:

Students will need to have an Azure Tenant with P2 License and Subscription. All the Labs will be deployed in the Student’s Azure Tenant.

Participants should bring a Laptop equipped with a minimum of 8GB RAM and VirtualBox installed. We'll provide a Windows OVA file for installation within VirtualBox during the course.


This course is for anyone interested in cloud security or wanting to learn the offensive side of Azure Infrastructure. Whether you're into penetration testing, managing Azure Cloud, or just curious to learn about cloud hacking, this course explains how to find ways to get in victims Azure account. It's good for beginners and experts who want to understand more about how to do bad things in Azure, so you can learn how to stop them

What Attendees Will Get

  • All the course materials, code snippets, custom scripts, etc; will be provided to the students including the lab manual to solve the individual challenges.
  • 30 days access to the portal to deploy the lab and individual challenges for practice.


Chirag Savla
Senior Cloud Security Engineer, White Knight Labs

Chirag Savla is a Cyber Security professional with 9+ years of experience. His areas of interest include penetration testing, red teaming, azure and active directory security, and post-exploitation research. He prefers to create open-source tools and explore new attack methodologies in his leisure. He has worked extensively on Azure, Active Directory attacks, defense, and bypassing detection mechanisms. He is an author of multiple Open-Source tools such as Process Injection, Callidus, etc. He has presented at multiple conferences and local meetups and has trained people in international conferences like Blackhat, BSides Milano, Wild West Hackin’ Fest.

Raunak Parmar
Senior Cloud Security Engineer, White Knight Labs

Raunak Parmar works as a Senior Cloud Security Engineer at White Knight Labs whose areas of interest include web penetration testing, Azure/AWS security, source code review, scripting, and development. He has 3.5+ years of experience in information security. He likes to research new attack methodologies and create open-source tools that can be used during Cloud Red Team activities. He has worked extensively on Azure and AWS. He is the author of Vajra, an offensive cloud security tool. He has spoken at multiple respected security conferences like Black Hat, Defcon, Nullcon, RootCon, and also at local meetups.