Join me for a thrilling deep dive into a real-world Purple Team exercise where a Red Team started with nothing more than a cloud-only user—and ended up with Domain Admin. This session unpacks the full attack chain, revealing the clever techniques and lateral movements that made it possible. We’ll dissect each step of the journey through Microsoft Entra ID, Azure, Defender for Cloud, Defender for Endpoint, and Defender for Identity, showing not just how the attack unfolded, but how it was detected and hunted in real time using Microsoft’s security stack. Expect war stories, technical insights, and actionable detection and prevention strategies you can take back to your own environment.

L400 session