I have been researching cloud security off late. Recently, the book, Penetration Testing Azure for Ethical Hackers by David Okeyode , Karl Fosaaen, showed up on my Twitter feed. The book had good reviews so I decided to pick it up.  It was published in November 2021.

Content Overview

This book is divided in to eight chapters which can largely be categorized into four parts:

• Introduction to Azure and lab building

• Enumeration and initial access to Azure resources

• Exploitation of Azure resources for privilege escalation and lateral movement

• Establishing persistence

Each chapter has hands-on exercises which the reader can perform on a live Azure Subscription. The exercises can be performed using the Free Trial subscription of Azure and do not require any payment on the reader's part. The authors have provided scripts to automatically provision resources for lab scenarios for each chapter. This makes it easy to follow along the exercises. The authors have also provided clean up scripts at the end of each chapter.

In terms of tools, the book covers usage of Azure PowerShell module, Azure Active Directory PowerShell module, Azure CLI (on a Linux machine), Powerzure, Microburst etc. The book does not cover the extensive usage of these tools but it's enough to get readers started. Authors have also referenced a lot of free and useful Microsoft resources which could aid in enumerating the cloud environment.

The exploitation part of the book focuses how misconfigurations in RBAC roles (reader, contributor and owner) can be exploited to escalate privileges and move laterally within the network. The authors have also touched upon moving from Azure to on-premise and vice-versa.

Salient Features

Here are a few things I liked about this book:

• The hands-on exercises made it fun to go through this book.

• Being new to cloud security, I learnt about various Azure and AAD misconfigurations that can prove dangerous for an organization.

• The companion GitHub repository provides access to deployment templates and lab scripts used within the book.

• Provides a good starting point for understanding and conducting Azure penetration testing.

• It is good for penetration testers, red teamers, information security managers and senior executives. They can simulate real-world attacks using tactics, techniques, and procedures (TTPs) that adversaries use in cloud breaches.

Not so salient Features

Here are a few things I did not like about this book:

• It does not map attacks to either MITRE ATT&CK framework or a Red Team Operations Attack Lifecycle.

My rating 4.5 / 5.0

Join our book club on Discord and share your views on this book (or any other security book of your choice).

Other book reviews

• Practical Social Engineering by Joe Gray

• Ethical Hacking by Daniel G. Graham

• How to Hack Like a GHOST by Sparc Flow

• How to Hack Like a LEGEND by Sparc Flow

• CCSP for dummies by Arthur J. Deane

• Cyber Warfare – Truth, Tactics, and Strategies by Dr. Chase Cunningham

• Practical Threat Intelligence and Data-Driven Threat Hunting by Valentina Costa-Gazcón

• Hacking APIs by Corey Ball

• Pentesting Azure Applications by Matt Burrough

• Red Team Development and Operations by Joe Vest and James Tubberville

• Container Security by Liz Rice

• Web Application Security by Andrew Hoffman