ACE

RESPONDER

Attack Animator

Blog

Learn

Challenges

Sign in

Microsoft Entra ID (formerly Azure Active Directory) is a widely adopted cloud-based identity and access management service, facilitating secure access to applications, data, and resources. However, as a critical component of many organizations' infrastructure, Entra ID has become an attractive target for attackers seeking to gain unauthorized access and escalate privileges. In this module, we will take a closer look at how attackers abuse authentication and permissions to gain access to cloud environments. We will analyze three significant attack vectors that leverage Microsoft's identity platform: * OAuth & App Hijacking * Device Code Phishing * Illicit Consent Grant By the end of this module you will understand: * How attackers abuse OAuth flows * How to identify, scope and investigate attacks in Entra ID audit logs * The difference between delegated and application permissions and when/how attackers use them The events in your SIEM can be found in the following timespan: 16 March 2024 - 18 March 2024

Investigating Entra ID Attacks

Share on Twitter
Share on LinkedIn

Microsoft Entra ID (formerly Azure Active Directory) is a widely adopted cloud-based identity and access management service, facilitating secure access to applications, data, and resources. However, as a critical component of many organizations' infrastructure, Entra ID has become an attractive target for attackers seeking to gain unauthorized access and escalate privileges.

In this module, we will take a closer look at how attackers abuse authentication and permissions to gain access to cloud environments. We will analyze three significant attack vectors that leverage Microsoft's identity platform:

  • OAuth & App Hijacking
  • Device Code Phishing
  • Illicit Consent Grant

By the end of this module you will understand:

  • How attackers abuse OAuth flows
  • How to identify, scope and investigate attacks in Entra ID audit logs
  • The difference between delegated and application permissions and when/how attackers use them

The events in your SIEM can be found in the following timespan: 16 March 2024 - 18 March 2024

Analyst

$17.49

/mo

14 Days Free

Explore realistic pre-recorded attacks

Master full-featured defensive platforms

Browser-based challenges and modules

Extended attack videos

Grants access to Analyst content. You can cancel any time by returning to this page and following the cancellation steps.

Defender

$44.49

/mo

Instant fully interactive labs

Hands-on prevention and detection

Master offensive techniques

Security engineering exercises

Highly realistic and dynamic scenarios

Access to all Analyst-level content

Grants access to all Defender content, Analyst content and interactive lab environments. You can cancel any time by returning to this page and following the cancellation steps.