Since I started red teaming, the number of red and purple team projects that I've worked on which feature some cloud element, be it Azure, AWS or GCP has steadily increased. In my last few engagements, Azure has been a large component and in some cases even the primary target objective; whether it's to take over a Global Administrator account, compromise a specific key vault, or gain access to some particularly sensitive data on a SharePoint site.
For a while, I've got by with a cursory knowledge of Azure based on my experience of using it to run infrastructure. That said, I've probably used only 5-10% of its complete capabilities and even then I still don't fully comprehend how things are working under the hood. Many of the compromises I've achieved in my red team projects so far have transpired from an issue found in Active Directory, old favourites include AD CS abuse, kerberoasting or misconfigured network shares (and increasingly, SharePoint). Those are all well and good if you're starting from an assumed breach scenario, but what if your beachhead is the Internet?
Phishing aside, threat actors have more recently turned towards cloud-based attack vectors. Whether this involves targeting external applications and infrastructure deployed on public cloud servers, compromising and pivoting through supply chain environments or even leveraging legitimate vendor services as attack launchpads. As red teamers who aim to simulate the complexities of modern attacks, understanding the cloud can be the difference between getting in and not. Given the all-pervasive nature of the Microsoft ecosystem, Azure is a decent place to start learning.
I've noticed currently that the certification market for cloud focused courses is still less common when compared to courses on Active Directory. Whilst the latter is still just as relevant to red teamers and defenders as ever, interest in the cloud is increasing, yet few of the major training providers are really honing in on it. Altered Security, known for creating highly reputed Active Directory certs such as CRTP, CRTE and CRTM have turned towards this space in recent years. As someone who has enjoyed working through their Active Directory certifications, I decided to continue down that path with their latest offering: the CARTE.
CARTE certificate awarded after completing the exam
The CARTE (Certified Azure Red Team Expert) is Altered Security's latest cloud focused red team course and certification, which focuses on attacking and defending Enterprise level Azure environments using modern tools and techniques. The advanced counterpart to the CARTP, CARTE delves into adapting the cyber kill chain to Azure, featuring current initial access, lateral movement and post exploitation techniques applied to the Azure ecosystem. Having used only a handful of the many Azure services in my day to day, getting a primer on logic apps, device code phishing and Azure key vault along with more niche topics such as JWT assertion, hybrid identity and Silver SAML attacks has definitely furthered my interest in the platform.
One of the key issues I see currently with learning anything cloud related is how quickly information changes. In its relatively short life span, several PowerShell utilities used to administer Azure have been deprecated or heavily modified. This makes it a challenge to maintain the shelf life of training material, or even Microsoft's own blog posts on the subject. I found that CARTE does a relatively good job at handling this by focusing its techniques around the core mechanics of Azure, opting for standard PowerShell tooling such as the MS Graph and Az modules as well as raw API requests to interact with the platform. There are sections where custom tooling such as GraphRunner and GraphSpy are demonstrated too, both of which I've enjoyed using on recent red team engagements, but the focus is kept firmly on understanding the platform at its base level, how it works and what can be exploited.
Bypassing CAP with Temporary Access Pass authentication
Another thing to consider about Azure is the sheer breadth of services to be covered. In the CARTE course, there are a total of four unique "kill chains" each demonstrating how to gain initial access into a cloud environment and then chaining exploits against different resources to achieve an end goal. This can vary from extracting key vault secrets, breaching an on-prem environment, or abusing SAML to escalate privileges in an Enterprise application, as it would for a given threat actor. This has great value for red teamers given that no two projects are the same. One area that I initially struggled with when learning about Azure is the "so what?" of all the different service types. As much as there is far more to the cloud than how it can be exploited, the material frames it in a way that keeps it engaging for security professionals.
One of the main reasons I come back to Altered Security's courses is the quality and stability of the lab environments. Most Azure practitioners know that running a fully fledged Enterprise environment can be costly, especially if you want to demo attacks across multiple resources or even tenants or subscriptions. The same level of care and expertise I saw from CRTP and CRTE has been applied to the CARTE labs also: the environment is highly stable, there is a good breadth of tooling available on the lab VM, and there are nice features including user simulation which help bring the attack chains to life. The lab team who maintain the environment are highly responsive, and understandably there may be times where a user simulation element needs to be reset. I only ran into this problem once in my 60 days of lab access, and the resolution time was rapid.
Internal spearphishing with Evilginx
For the material overall, there is a good balance between practicing TTPs you are likely to read in most threat intel reports, as well as lesser known techniques such as JWT signing. This helps you establish a base level of common Azure attack vectors whilst leaving room for techniques to be discovered. I found it useful to practice a few different ways to carry out the same action, which the lab is fully equipped to do. Whilst you get a base level of tooling available, there are also a couple of custom scripts in the lab which deploy Azure infrastructure to augment the attacks. I did find that some sections of the course material can feel quite dry to watch through, so I'd encourage following along with note taking and running the commands on the side. All in all, the arrangement of the different kill chains definitely helps keep things novel and interesting.
As for the content delivery itself, this is available in bootcamp form or online. I personally prefer to learn at my own pace, so I went for the online option with 60 days of lab access. This provides you the complete set of the course videos and slides covering the material as delivered by Nikhil Mittal, the founder of Altered Security. The course videos themselves are taken from an early bootcamp session for the course, so you get the added benefit of Nikhil answering student questions and performing demos in real time. I personally learn best by doing, so I spent the majority of my lab time demoing out the attacks and taking notes. I would recommend building out a personal "cheatsheet" of commands and ways of enumerating Azure, as this will pay off when it comes to real world engagements and the exam. I documented this in Markdown format using Obsidian and kept PowerShell snippets where needed.
Silver SAML attacks using Burp Suite to intercept requests
The exam, as with Altered Security's other Expert level offerings, is a 48 hour practical challenge comprised of targeting an Enterprise-level Azure environment. One of the reasons I jumped straight to doing CARTE as opposed to starting with the CARTP course was my previous professional experience in Azure, and this definitely came in handy when it came to the exam. The course material alone does a fair job of preparing you but as usual, applying the knowledge beyond the labs is key. Expect to see familiar themes and topics but arranged in different ways, which is true to the real world, whether it's bypassing a CAP policy or using an alternative API to query something. In my experience, 48 hours is ample time to get everything done and well documented for reporting. As with the labs, the exam environment was highly stable although it is best to be mindful of not running too many memory-intensive applications at once as RAM is limited (Azure is expensive!).
I managed to crack the entire exam lab within 24 hours of starting whilst getting rest, eating and fully documenting the attack chain. I did end up losing time along the way, but I'd put that down to missing some obvious enumeration steps and classic exam overthinking. After 48 hours of lab time is up, you get another 48 hours to put together and submit the report as a PDF. A few days later you'll get your results via email:
Getting the exam pass email
Overall, CARTE was great for getting quickly up to scratch with Azure. I originally picked it up in the midst of a 3 month red team with a heavy Azure component, and needed to round off my current skills. I'd recommend the CARTE to anyone in red teaming or pentesting looking for a good primer on Azure and to level up their cloud game. Many thanks to Nikhil, the CARTE creators and the lab team for putting together another fun and informative course.