Purple Teaming Cloud Identity Simulation Labs for Red and Blue teams

uh five uh five five cent Tour on infrastructure as code um we're using declarative State files to push out configuration changes into the cloud simply put there's different tooling to do this there's terraform and palumi the tool that I work with a lot is called terraform it's a it's a command line interface tool that you run it has declared state with these uh terraform files and it pushes it out to the cloud provider via these providers via their API that the cloud provider makes for us so I'm going to skip over the rest of this now if you guys want my slides I'll post them out on LinkedIn you can follow me on on Twitter and I'll get those out

to you guys I'm going to skip over a lot of slides let's talk about purple teaming we're all in this together to make our Security Programs better so it's really the red and The Blue Team working together you got to make things better and the team is going to find the vulnerabilities and work with a blue team in order to instrument log sources that are enriched that have make sure that the blue team is trained so those type of elements so we work on detection engineering we work on improving the log sources and we're the red and blue team are working in cooperation together so that's the concept of purple teaming

all right so let's so one more slide here on purple teaming so this got a little mixed up here so there's a guy named George arquiles he's got a lot of great resources on building your security program with purple teaming um I was doing a little Side Story this I was doing a Consulting project where I was doing technical program building of um of security team with purple team and George has this project called the atomic purple team framework and so it's a nice tool that you can take uh templated exercises and get the CIO and the um the CSO to approve those and then you run the red team exercise and then you look in the logs and you

see what the if your logs actually defend against the attacks so that's called Atomic purple team framework but he's got a lot of good stuff out there for that why these security simulation labs so I kind of cringe when we say the word cyber in the Cyber range I'm trying to push this towards talking about these simulation Labs so we're talking about where we push them out into the cloud provider we run the attacks and then we destroy them when they're done so they're pristine environments uh and it saves on a lot of costs and you can easily create them and customize them however you want so what I want to do is give you guys some ideas on if you

haven't seen some of these maybe you can take them back to your company and use them as a learning tool to try a tactic or a technique it gets an environment and then you get better right I mean you can't attack what you don't have access to so when you're doing pen testing and red teaming you don't always have access to the production environment or you want to mirror the customer environment before you start a pen test that's why we do these simulation labs to get better so I'm going to talk about the old ones that have been around for a while and I'm going to talk about the new ones so the the new the ones that have been

around a while the classic ones are detection lab and Splunk attack range and adapts I'm going to talk to a second about that and then there's called ghosts if you've never heard of that and then I'm going to segue in on my tools blue cloud and purple cloud and we'll spend the rest of the time talking about purple cloud I love detection lab anyone use detection lab in the room so detection lab is basically by Chris Long here and so it's basically detection air engineering lab for you to run a tax and it has logging best practices already configured in it it's a free tool it's fantastic it's very solid very stable and it has a lot

of nice tooling it has Windows Event forwarding with all the security Windows event logs you want it has sysmon and it packages all that and it stores it in the Splunk so when you bring up the range you can practice with Splunk and blue tuning and it also has OS query with Fleet server manager it has Velociraptor so it's got a lot of good stuff so this is kind of a view of um a detection lab I love detection lab the other one here is Slug attack range it's made by simple employees of Splunk and it's a little bit different than detection lab because they have Python orchestrator scripts that will remotely simulate attacks over remotely over the

network so Splunk attack range has support for Atomic red team and so it'll remotely run the attacks and you can map those attacks in a miter attack framework so this is what Splunk attack range looks like now there's a key element here of how these are the same they are um single host detection area ranges so you run a tax on a single host that's not connected to active directory and it's really good to test like EDR bypass to test your endpoint security to see if it's going to instrument but the way we're going here is looking at systems that are joined to an active director domain with transitive trust okay so then we go into

this tool called a Das so a Daz is actor director hunting Lab at Azure and what what this researcher did for datadog is he basically instrumented Elks server with best practices log forwarding but he made Windows 10 endpoints joined to an ad domain so now you can do lateral movement you can attack between the systems you can use domain user credentials and attack systems and then you look in the logs to see what do you have your logs properly forwarding and detecting attacks so this is the first of looking at bringing ad systems together now anyone heard of ghosts or played with ghosts yet Charles said because I just told him this morning so ghost is a fantastic

tool if you think about realistic simulating user Behavior okay so ghosts the idea is it creates NPCs non-player characters and it's basically users on your network that are checking email downloading files logging in with their browsing the web connecting to sap shares and their behavior is captured in a Json file and the ghost binary runs on Windows 10 so basically creates realistic static white noise so when you're doing red teaming in Blue Team you're not just creating a digital forensics range you're doing it when user real user behavior is in there question yeah armor

yes absolutely it's not an API it does support an API they use Json files like timeline Json and so what you do is you just customize each file and put it on each Windows 10 endpoint and then so you can change those files and then over time they even have a grafana API and dashboard so you can connect to it with API and send commands to it to the console and it changes the user behavior and then has grafana dashboards which are awesome so you can like measure what users are doing over time but then it just makes things more realistic for you so this is a free tool and so the use case is here if you're

creating a training class if you're you're creating a CTF you can add these type of tools to that and get ideas to make things even more powerful for you so here's kind of a use case for this you add ghosts into your little cyber range and then you're that much more effective when you do realistic simulations of attacks in in defenses now we get to the the purpose of this we're going to talk about my tools blue cloud and purple Cloud okay and now we have to start to distinguish between these different simulation Labs okay so on the left we have the single host focused those were the first three that I mentioned to you mainly detection lab

and Splunk attack range because you're really running an attack on a single host and looking at EDR and security bypass then you have a Daz that's kind of in the middle because on the right we have a multi-host active directory Focus so now we're moving into like lateral movement and attacks against domain join systems so Daz is in there but purple cloud is like shifting even more over to the right and I'll explain why so here's kind of my story and my evolution of this I started out uh just creating a single instance of azure help hunting elk is a Sim that's open source by Roberto Rodriguez the security researcher and it's and it's a great

tool so I created Azure health first then I took an Azure VM and instrumented velociraptor and so Windows 10 systems automatically connect the agent to the server and you can do stuff with that and then I combine helc and Velociraptor together on the same server and then that was The Blue Team side of blue cloud and purplecloud so blue cloud is basically at is is basically velociraptor in a Sim instrumented in either Azure or AWS for detection engineering but it's single host so what you can do with blue cloud is if you want to do run attacks against a Windows endpoint all those logs are going to get shipped via win log into Helk hunting elk and

you have a nice Cabana interface so you can do attack simulations that way and then you have the Velociraptor instrumented as well I also added an atomic red team elastic detection Rita and apt simulator tools onto blue cloud but I've stopped working on blue cloud because I put everything into purple Cloud so I'm going to explain what purple cloud is here okay now we're getting into purple cloud so purple cloud is a simulation tool where you can create a bunch of different Labs there's eight different simulators right now and it's a first of its kind identity lab where you can create your own identity lab or hybrid identity okay so we're seeing a lot of companies that are

starting to move and shift into the cloud and they're on premise as well so they have a mixed hybrid entity or they have um they're fully Cloud first and so purple cloud is for that so here's the documentation on the site it's purplecloud.network what they are are their terraform code generators that create unique ranges for your different use cases so instead of giving you guys terraform templates I don't know if you guys have worked with terraform but it's kind of unwieldy it has its own uh programming language called hashicor HCL hashicorp configuration language so instead of offering up templates where you have to manually edit it I basically created Python scripts that generate the code for you

so what you do is you run a script and you pass parameters and it'll generate all the terraform for you now you guys are going to see the magic of this in the next demos where I show you how this works so purple cloud is not a it is not a guided vulnerability lab if you're looking for a highly structured environment that already has vulnerabilities in it this is not what that is right now what it is is build your own lab style creative type of environments where um it's built for security researchers blue or red teams to run attack simulations and Bug bounty um any of you guys like to make money on the side doing cyber security research

and you guys you sir well check this out Microsoft has a very generous bug Bounty program don't know if you guys have seen this you can check this out they have um for identity type vulnerabilities they pay up to 100K so that's kind of what we're the area that we're talking about the bug Bounty around Microsoft identity so you can also it's kind of like meta framework that has um payloads and exploits you can mix and match the different uh simulators to create your own custom Enterprise environment I've even had one user story where a guy let me know he created his own detection engineering training class using purple cloud so it's very powerful that you can

create your own creative type of lab that you want okay so I'm going to talk about the generators here and then we'll start what we're going to do is we're going to talk we're going to actually do a demo of each generator okay now this the lab is the demonstrations are kind of starting what I'm going to do is I'm going to build out five Labs I'm going to start building them and then I'm going to keep on talking and by the end I'm going to I'm going to run some of the actual attack demonstrations okay so this is the first one this is azure active directory okay so this is the same code you go guys can go out and

download right now and I'm actually going to my documentation site here and bringing up one of the usage examples and this is the only real Attack example where you can run a privilege escalation attack right here it's called service principle abuse attack Primitives so what I'm doing here is I'm going in and I'm generating hashicorp terraform files so it generated all the terraform now I just do terraform apply and it's pushing the changes out into Azure what it did is it created by default I think like 30 ad users it created Azure ID apps and groups and service principles in a vulnerable scenario so I'll show you guys how we can attack that so it's our it's already

pushed it out it was like that fast you can create thousands of users it has a random user generator so you don't have to even import it will dynamically create the users now I'm going to do an app consent phishing and you guys dealt with app consent phishing I'm going to generate a fishing consent this is one of the generators and I'm going to do terraform apply

okay now this is the newest generator I just released two days ago adfs active directory Federation services so this is Microsoft's on-premise SSO saml solution if you have applications on the internet and you want to basically have a single set of user credentials they'll integrate into your internal active directory adfs was involved in the security incident with golden saml with solarwinds gold and saml is the actual exploit and now you can actually practice this within an Enterprise environment so this is this is adfs generator let's generate generate the code real quick adfs lab let's do a real simple one let's do a self-signed certificate and let's generate that

okay so we generated that now let's do terraform apply and then here's also the last one that's the brand new generator called Azure adjoin Azure actor directory join what this is is a lot of companies are moving into the cloud where they take Windows 10 devices and they join them to active to Azure ad so then you have a single set of credentials like your Azure active director creds you can actually log into VMS so there's a lot of new use cases like Microsoft InTune device management there's a vdi deployments that are using that are using this as well so let's do Azure adjoin generator

let's just grab the most simple example here so this is going to create users as well mechanism

okay now finally the fifth one Azure Sentinel so purple Cloud creates a sentinel environment so it's basically a cloud native Sim and you can do detection engineering I've added added support for purple sharp so it automatically downloads purple sharp onto all the windows 10 endpoints and it ships sysmon logs into Azure Sentinel you can spin it up run attack simulations and then spin it down whenever you're done so let's go into the The Sentinel Azure Sentinel generator and the cool thing about this I'll walk through this in the slides you can create a realistic Enterprise environment with hundreds and thousands of AD users not just a single attack you can do um you can create a domain controller

and run Sentinel with that so I'm just going to do let's do one endpoint which is one Windows 10 endpoint

okay so now we're good to go now let's go back to the slides and then I'll keep talking so these are kind of running and they're pushing changes into the cloud so here's here's the generators we have um adpy in the top left corner this creates an active directory environment this is basically competes with the first tools I showed you detection lab and um Splunk attack range I'll talk more in depth on what it does but if you want to play around with active directory in a realistic Enterprise environment and learn the 80.py generator is for you the Azure ad.py moving to the right creates a realistic Azure ID environment and it pushes it out automatically The Sentinel

one is creates an Azure Sentinel environment the phishing app any guys getting hit with like app consent phishing or hearing about that in your Security Programs the phishing app gets created for you automatically so you can do a malicious app consent phishing attack then we have the adfs lab we're generating that as well we have the Azure ID join generator and then there's something called manage identity managed identity is when you can have um basically it's the equivalent of an instance profile attached to an Azure VM so you can have roles attached to an Azure VM to to do your business workloads and then storage generator creates a vulnerable storage environment it will upload uh sensitive files and then you

can scan and test and find vulnerable storage so here's the workflow you CD into the generator directory and then you just do python space script name and then you do terraform init terraform apply and then you're running away with it when you're done you do terraform destroy so it's very nice and easy to run these okay Azure active directory lab so this now we're talking about each one of the generators a little bit more in depth this is um it randomly generates as many Azure ID users as you want you pass it as a parameter in this example here we're creating 500 users this is kind of what it looks like it automatically filters out duplicate

users and it outputs the files to text files which is really nice for other automated tools

sorry about that um it really makes it nice for other tools to run attacks because it'll write out the usernames to a file the email addresses to a file and then it writes their full name to a CSV file that has their email and their username so you can use that for doing attacks against users that's what I was just saying there it auto creates all the users and then assigns them randomly into different Azure ID groups if you've ever tried to manually edit uh terraform files it's very unwieldy and this kind of automates all that for you and then I have one vulnerable attack scenario a service principle abuse attack scenario where a user can Elevate

to Global administrator so it creates that for you and I have a workshop I'll provide you some information at the end on a free Workshop then we created so you can run through that yourselves where we're going here is we're talking about a Microsoft researcher created the Azure threat research Matrix what we're talking about here is mapping attacks into the Azure threat research Matrix and then looking at our logging and our security controls to see if we can detect that so that's what I'm I'm going to show you guys here here's an example with the Azure ID lab where I generated like 300 users and then I did a password spray attacking my own tenant

these are the kind of things you guys could do you can stand up a lab before you do a pen test to understand the behavior of azure you see Azure has a feature called Azure smart lockout Azure smart lockout will basically detect password spraying and it'll invalidate your results so you have to be real careful on how you scan and find valid Azure users but it can be easily bypassed you can bypass it by rotating your IP addresses see this is the power of the cloud to use it for penetration testing you can use the infinite Network capability of the cloud to rotate your IP address so a lot of these attacks are going to start

happening where you can just rotate your IP and I'm using Amazon API Gateway is there a question no okay I'm using Amazon API Gateway to rotate my IPS and let's just look here in the logs I'll show you guys what this looks like here let's look at my signing logs I did this I did a password spray yesterday um and look here all the IP addresses coming in from all over the world London Dublin Paris hitting all these different Azure ID users and they're getting in right because password spraying can be effective when you rotate your IP addresses the Golden Age of hacking used to be really really easy and now you have Azure smart

lockout but we can still bypass that the interesting thing about this is that um I haven't seen yet Azure being able to detect this when you rotate your IP addresses but it's completely possible to do this very easily do you know why because the cloud providers publish out their IP addresses and they actually make it really easy for you to detect Amazon API Gateway IP address ranges because let me show you real quick inside of this um request IP rotator we have IP ranges J so this is all of Amazon API gateways ranges for AWS so now what you can do is you can add this into your tooling on your sim or your blue team

and you can parse out and correlate every IP that comes in when it when you're getting a password spray and so look at this this command with JQ this JQ command is just parsing out all the API Gateway ranges and these are all the API Gateway ranges so you can instrument this in your sim and you can Auto detect when you're getting sprayed and they're rotating the IP addresses and you can Blacklist this dynamically so I don't know why Azure hasn't implemented this yet but this is this is something you can definitely do so Sentinel detections we can use cousto Query language and we can query the sign in logs and instrument and detect when

this is happening this is another Azure threat research Matrix we have service principle privilege abuse the attacker is elevating their Privileges and assigning roles in an unauthorized way we can use the Azure audit logs to detect this and all this can be done automated and you can run these attacks so you can use purple Cloud to stand this up this is an example of a kql query so I'm trying to map this in and understand this attack behavior and document this against with purplecloud now here's my second simulator is the ad simulator so this is basically creating a custom Sim environment with Azure VMS and each one of the windows 10 endpoints will will ship sysmon logs to a Sim if

you wanted to they also uh one of the features that was requested was that how do you import in your own custom list of users well I just added this feature now you can create like thousands of users in a CSV file and it'll automatically build ad with those users it will also randomly generate as many users as you want it will automatically create OU's and AD groups and assign them to make it look like a realistic Enterprise because that's what we see a lot it does an automatic domain join on each VM it will also do auto logon domain users this is the most powerful feature here have you ever tried in a pen test to

like connect to a system that says the user is already logged in this will automatically randomly select a domain user and log them in with their own domain user creds into each Workstation so then when you try and attack you see that they're already logged in then you can do memory extraction techniques like mimicats you can extract their their lsas credentials so it makes it so much more realistic and so none of the other cyber agents out there are really doing this so this is an example of this generator creating an ad environment it will write out a file called ad users CSV so you have all the users and all the pat all their passwords in a file

by default it will randomly generate user passwords now this is why I change it up here because I create each terraform for each Windows 10 instead of using the modules interface of terraform terraform has a modules interface that's unwieldy to customize so I basically coded this where each Windows 10 Pro is a separate terraform file so after it generates it then you can go and manually edit the terraform file or copy it off and use it however you want to so this is what after building ad what it looks like we have a domain controller three three windows 10. they're all domain joined right there this is the nicest One auto logon domain users now you're running realistic

attack simulations extracting credentials out of memory and doing the things that real adversary are doing passwords default to custom to strong randomly generated but you can also pass the command line parameter to specify your own password making it easier for you and then it builds hunting elk and Velociraptor server and you can even customize your own sysmon config so if you want to customize sysmon use you say I want to take these files in the range and update the version of sysmon binary it supports version 14 which is the latest right now but you can create your own customizations it uploads it to the Azure storage and each system downloads it when it bootstraps I'm a big fan of velociraptor like in

the defer Community it's a very popular tool uh it does terraform it creates an internal pki that automatically pushes out to the server and the clients so they automatically register and that's all done via terraform TLS provider now hybrid identity is not this is not a range this is just saying it drops the latest azure so if you want to do if you want to research vulnerabilities on Azure ad connect and a hybrid deployment it takes a very long time to manually configure this every time this tool will automatically what you do is you do the ad generator and you do the Azure ID generator so you've created your hybrid environment then you just double click

on the Azure ID connect MSI and then you bridge the two together and it's everything's already downloaded for you so it makes it easier so if you're going to do that type of research you can do that easily this is the Sentinel lab generator this is one of my favorites because it makes it so easy to do attack simulations and then test out uh cousto query language Sentinel commands so the cool thing about the Sentinel one is you can create a real ad environment with domain controllers and Windows 10 and their domain joined just like the ad generator and so that's that's really nice so we run purple Sharp purple sharp is automatically downloaded on each windows

10. and then you can easy easily run attack simulations and then you can go into you can only do a kql query malicious application consent it creates a multi-tenant malicious application in azure you can use it for phishing campaigns it's just good to understand the attack and defense of this and how logs are generated so this Maps into Azure threat research Matrix right here malicious application consent so now we have that documented and we can study and understand that that behavior here's an example the user can sense and then you can go in the Azure portal or you can use sentinel kql to look at the audit logs and it has the manage identity generator

it creates VMS and an attacker could steal the Json web token that's the managed identity and log in as that user question in the back question

oh purple sharp no that that's not my tool purple sharp is by another guy out there another security researcher

uh purple sharp is like Atomic red team it's it's a binary it's a it's coded in C sharp and you just drop a binary and it already has all the mightier attack framework uh attacks built into it I'll try and do a demonstration that's that's one of the live demos I'm going to do so purple sharp is excellent It's a newer tool so kind of think Atomic red team but just drop a binary it's not really a script it's a c-sharp executable so this is logging in as a managed identity right here and uh this is what the attacker would do they would do a Json web token request they would log in as that service

principal and Sentinel you can actually query and see manage identity logins so a lot of security incidents and penetration testing is using this type of attack the manage identity attack you can create a vulnerable storage it automatically uploads sensitive files I named them like customers CSV Finance spreadsheets you can test for this Anonymous blob reveals directory listing of all the files so that's L comp equals list right there and then ADF is Federation is it creates a adfs server and it will do self-signed certificate or if you want to import your own trusted CA signed cert you can do either one and so it creates an endpoint on your internal adfs server and you can log in

and test it and then you can look at the logs it's configured with adfs audit log security best practices so then you can do kql queries and you can you can look at that and then this is the golden saml so this is the first part of the solarwinds breach incident they extracted out the token signing certificate this was a real Attack this guy doctor in the story of Cinema has awesome research he's got a tool now you can do the first part of the golden saml so I'm running that right now and hopefully I'll do that and so now everyone can do that now you have a disposable lab you can you can spin it

up test this attack out and then spin it down when you're done with it so this is these are the logs that are generated Azure ID joined this is the final generator this basically will create a Windows 10 VM that's joined to Azure active directory there's a lot of new use cases for this like Microsoft InTune device management but the interesting thing is it creates a single sign-on token called a PRT primary refresh token so the attackers are figuring out how to extract off the PRT and use it to log in as users it's basically think of it as like a cookie that the attacker can extract out and then use it to get unauthorized access

so then you can look at these sign-in logs and so I'm documenting all this mapped into the uh the Azure threat research Matrix so that's really like the last slide where I can just kind of talk to you guys about what it is and now maybe you understand a little bit better um purple Cloud kind of is in the past because it does the classic detection engineering with the ad generator but it's also looking at the future of identity Cloud native identity and now you can spin up your own range your own simulation lab and attack Cloud identity using this tool here so there's eight generators only one of them kind of lives in the past if you

want to look at your own on-premise and active directory then sure you can play with that and and that's going to be useful but the other seven generators are more looking at Cloud native type of attacks and being able to define the defense and the logs that you need okay um if there's no questions I think the time sure disabled or I'm wondering about you know as Defender updates it starts catching some of these yeah great question so you asked um if if Windows Defender in my labs is windowed Windows Defender disabled no I don't I don't disable the anti-malware scan engine on these at all um and so you're talking about the first use case where we have a classic Windows

10 and it has um uh no I just let it run and so we'll see if purple sharp runs so purple sharp is going to run a simulation on the on the Sentinel generator we'll see if it runs so that's a good question though with Windows 10 it's actually really hard to disable the anti-malware scan engine when you bootstrap a system without any user interaction it's very difficult to do that but Windows Server it's very easy to bootstrap a system to disable Windows Defender it's very easy to do that so to answer your question yeah yeah okay all right let's do it so first um Let's do let's make this fun let's first do the app consent phishing attack

okay so you guys saw you guys saw that generator that was creating the um the vulnerable malicious application so this is a tool called o365 attack toolkit it carries out an application consent phishing attack and starting to see a lot of blue teams have to deal with this where a user gets fished and their API permissions get great to get consented to allowing an attacker to read email via graph API so let's do terraform output and let's grab the um the app Secrets here we're going to use this as an attacker let's first grab the client ID now this is in my home attendant as an attacker this is in my home tenant you need the

client ID in order to build the attack and you need the client Secret so I'm going to grab that real quick and I'll do a live demo and so I just generated this with terraform it took like two seconds now I'm going to take the client Secret and plug it in here let's do terraform output client Secret

and that's the client secret right there so I'm going to destroy this as soon as this demo is over so don't worry I'm not just I'm not um so here it is now I've got enough to create an app consent phishing attack okay so I'm gonna as my as an attacker I'm going to connect here

okay so I'm an attacker right here now I'm going to generate a a URL that I'm going to use to abuse a victim now I'm going to come over here and I'm going to pretend like we fished the user that's all this was I'm going to log in as my user right here this is me I'm going to get the I'm going to get on my phone here I'm going to prove it approve

and boom right there you guys seen this prompt before so I just created the whole attack simulation right there I'm going to consent as a user and now the API abuse attack has taken place and the the attacker is now using graph API and they're inside basically being able to run now let's reload and the attacker has a nice portal where they can read my email so that was all just application consent phishing graph API abuse and we're able to do that with purple Cloud we're able to like stand that up really really fast and it also builds all of the API permissions inside of terraform so you don't have to do that you don't

know you don't have to know what what to put in it automatically does it for you so that's that's how that works and then then you can go in and you can look at your logs and you can configure logs to like detect this attack that's the idea behind this I'm not just showing you attack I'm saying we can actually defend against this now let's go look at our logs and purple Cloud allows you to rapidly do that simulate that

yeah I'm pretty much coming running out of time here unfortunately I got like four more demos I could like talk for another couple hours about this um so I think rather than trying to rush through another demo um you know stay in touch let me know if you have any questions but like the other four demos are just doing similar types of stuff like Azure active directories Sentinel purple sharp um so here here's the Sentinel lab that was created Azure Sentinel and look here it created uh what it does is it outputs each VM so now you can RDP into it oh and another cool thing that auto does if you're concerned about security it auto

whitelists your IP address so it uses terraform to detect see this is the domain controller right here that was just created it does ifconfig.me finds your public IP and adds an Azure NSG that this is us here at the hotel connecting so now you can only RDP from this Source IP address right here so that's a nice little feature and if you go change locations you do a terraform apply and it'll automatically change the nsgs so now you're not exposing your VMS to the public internet quad zero you're just you're just doing just your Source IP ad correct

foreign great great question man great question uh so if you're like a real deep Microsoft guy which I can kind of tell that you're kind of involved in Microsoft I'm just guessing here uh arm templates are kind of like the thing to do um if you're in AWS it's cloud formation right whatever the infrastructure is code to me it doesn't matter whatever works for you go for that I happen to use terraform as my day job and it's more of a universal tool that works across all Cloud providers so that's why I like terraform because you can do Azure AWS gcp and you're sticking and you're just getting good at one thing and you're pushing the changes and

terraform is actually adding a lot of providers for azure so they're I think they're pretty mature on the Azure support I mean everything I did demonstrated you guys was with terraform right now arm templates are great um I particularly don't like them as much because they're I think they're kind of unwieldy I don't know if you know Rob Roberto Rodriguez he created a project called Azure simuland and it's a golden saml adfs lab just like what I did and base full credit to him like this this tool was inspired by that the adfs generator I did because I saw his Azure simulant so that's it that's an arm template he did arm template and he did

Powershell um pscs that I can't remember what the name they're called uh desired State DSC he used desired State modules but it's very hard to edit that so what I did with um what I did with adfs here is if you go into the AWS generator is you can fully customize your adfs config by going in in here and each one of these Scripts gets downloaded from the storage container by the system so now you can easily just edit the customize how you want to install adfs and you can customize the domain join and this is a master script that downloads all that so I kind of just opened up the hood and made it easier I think to edit things

yourself that's all so everyone uh the last thing I want to say is um thank you to besides DFW for putting all this together I hope to connect more with Community here and here's the free Sans Workshop that is a guided vulnerability lab scenario with Azure active directory it's free it's a two-hour uh you can register for it and then you can do the guided vulnerability scenario and it downloads a VM that has a workbook that's a Playbook on how to run the attack so you'll create your own Azure ID pin test lab and then you'll attack it you'll run Recon with Powershell commands and then you do privilege escalation with Powershell all of it's

in Cloud shell so if you like to do Cloud shell you can run a whole pen test in Cloud show uh Azure Powershell yeah you can switch between them but I I wrote the lab in Azure Powershell yeah so that's so these are just some other resources um thank you stay in touch and I have some other references there too if you want to get the slides that's it everyone [Applause] so I guess q a any questions sounds great very informative oh good thank you thank you what's that yeah right well if adios was strong in Cloud identity you know then I'd be doing that it's just because Azure and Microsoft is so strong with like on-premise identity

you know uh I'll post them out on uh I'll post them out on Twitter soon I'm going to add this these slides to the GitHub repo in like a slides directory and then I'll just tweet that out and then um this one yeah security Puck yeah