ACE

RESPONDER

Attack Animator

Blog

Learn

Challenges

Sign in

Microsoft Entra ID (formerly Azure Active Directory) is a widely adopted cloud-based identity and access management service, facilitating secure access to applications, data, and resources. However, as a critical component of many organizations' infrastructure, Entra ID has become an attractive target for attackers seeking to gain unauthorized access and escalate privileges. In this module, we will take a closer look at how attackers abuse authentication and permissions to gain access to cloud environments. We will analyze three significant attack vectors that leverage Microsoft's identity platform: * OAuth & App Hijacking * Device Code Phishing * Illicit Consent Grant By the end of this module you will understand: * How attackers abuse OAuth flows * How to identify, scope and investigate attacks in Entra ID audit logs * The difference between delegated and application permissions and when/how attackers use them The events in your SIEM can be found in the following timespan: 16 March 2024 - 18 March 2024

Investigating Entra ID Attacks

Share on Twitter
Share on LinkedIn

Microsoft Entra ID (formerly Azure Active Directory) is a widely adopted cloud-based identity and access management service, facilitating secure access to applications, data, and resources. However, as a critical component of many organizations' infrastructure, Entra ID has become an attractive target for attackers seeking to gain unauthorized access and escalate privileges.

In this module, we will take a closer look at how attackers abuse authentication and permissions to gain access to cloud environments. We will analyze three significant attack vectors that leverage Microsoft's identity platform:

  • OAuth & App Hijacking
  • Device Code Phishing
  • Illicit Consent Grant

By the end of this module you will understand:

  • How attackers abuse OAuth flows
  • How to identify, scope and investigate attacks in Entra ID audit logs
  • The difference between delegated and application permissions and when/how attackers use them

The events in your SIEM can be found in the following timespan: 16 March 2024 - 18 March 2024

Analyst

$17.49

/mo

14 Days Free

Explore realistic pre-recorded attacks

Master full-featured defensive platforms

Browser-based challenges and modules

Extended attack videos

8 AI credits per month

Grants access to Analyst content. You can cancel any time by returning to this page and following the cancellation steps.

Defender

$44.49

/mo

Instant fully interactive labs

Hands-on prevention and detection

Master offensive techniques

Security engineering exercises

Highly realistic and dynamic scenarios

Access to all Analyst-level content

20 AI credits per month

Grants access to all Defender content, Analyst content and interactive lab environments. You can cancel any time by returning to this page and following the cancellation steps.