I have been researching cloud security off late. Recently, the book, Penetration Testing Azure for Ethical Hackers by David Okeyode , Karl Fosaaen, showed up on my Twitter feed. The book had good reviews so I decided to pick it up. It was published recently (at the time of writing), in November 2021 (another reason for choosing this book).
This book is divided in to eight chapters which can largely be categorized into four parts:
- Introduction to Azure and lab building
- Enumeration and initial access to Azure resources
- Exploitation of Azure resources for privilege escalation and lateral movement
- Establishing persistence
Each chapter has hands-on exercises which the reader can perform on a live Azure Subscription. The exercises can be performed using the Free Trial subscription of Azure and do not require any payment on the reader’s part. The authors have provided scripts to automatically provision resources for lab scenarios for each chapter. This makes it easy to follow along the exercises. The authors have also provided clean up scripts at the end of each chapter.
In terms of tools, the book covers usage of Azure PowerShell module, Azure Active Directory PowerShell module, Azure CLI (on a Linux machine), Powerzure, Microburst etc. The book does not cover the extensive usage of these tools but it’s enough to get readers started. Authors have also referenced a lot of free and useful Microsoft resources which could aid in enumerating the cloud environment.
The exploitation part of the book focuses how misconfigurations in RBAC roles (reader, contributor and owner) can be exploited to escalate privileges and move laterally within the network. The authors have also touched upon moving from Azure to on-premise and vice-versa.
Here are a few things I liked about this book:
- The hands-on exercises made it fun to go through this book.
- Being new to cloud security, I learnt about various Azure and AAD misconfigurations that can prove dangerous for an organization.
- The companion GitHub repository provides access to deployment templates and lab scripts used within the book.
- Provides a good starting point for understanding and conducting Azure penetration testing.
- It is good for penetration testers, red teamers, information security managers and senior executives. They can simulate real-world attacks using tactics, techniques, and procedures (TTPs) that adversaries use in cloud breaches.
Not so salient Features
Here are a few things I did not like about this book:
- It does not map attacks to either MITRE ATT&CK framework or a Red Team Operations Attack Lifecycle.
My rating 4.5 / 5.0
Join our book club on Discord and share your views on this book (or any other security book of your choice).
Other book reviews
- Red Team Development and Operations by Joe Vest and James Tubberville
- Container Security by Liz Rice
- Web Application Security by Andrew Hoffman
Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.