- It’s possible this could be run using Azure Directory in combination with some pentesting tools: - BadBlood - Bloodhound, Plumhound - Bruteloops - SIEM - Sentinel along with some Kibana Query Language and some implementation of SARIMA somehow - Use ELK stack along with some sort of fake AD environment # Random - [https://github.com/davidprowe/BadBlood](https://github.com/davidprowe/BadBlood) - [Azure Sentinel – Cloud-native SIEM Solution | Microsoft Azure](https://azure.microsoft.com/en-us/products/microsoft-sentinel/) - [Log Analytics tutorial - Azure Monitor | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-tutorial) - Linux Commands - cat, cut, sed, awk - [https://github.com/arch4ngel/bl-bfg](https://github.com/arch4ngel/bl-bfg) - [https://github.com/arch4ngel/BruteLoops](https://github.com/arch4ngel/BruteLoops) - [Viscosity - OpenVPN Client for Mac and Windows](https://www.sparklabs.com/viscosity/) - [GlassWire - Personal Firewall & Network Monitor](https://www.glasswire.com/) - [HostRecon/HostRecon.ps1 at master · dafthack/HostRecon](https://github.com/dafthack/HostRecon/blob/master/HostRecon.ps1) # Things to learn - Sys Admin - ADCS - SysInternals - Azure AD - KQP - Sentinel - Threat Optics Stacks - logging - Sysmon - event ID 11 & 3 - lmk, cpl, ps1 (files) - Userland? - users shouldn’t be running as admin all the time - SIEMs - C2 - metasploit - resource files - Wardriving - [wigle.net](http://wigle.net) - GPS puck - solar-powered - Malicious LNK - fileshares on DC - NT Directory Services