Slide Build Checklist
用這份 checklist 追蹤教材製作,不把未查證內容混進正式 slide。
Phase 0 - Production Setup
- [x] 固定教材產製標準。
- [x] 建立來源對照表。
- [x] 建立 OpenSlide-ready slide skeleton。
- [x] 分離 speaker notes。
- [x] 決定 OpenSlide 實際匯入格式:Markdown direct、HTML export、或特定 JSON manifest。
Phase 1 - Foundations
- [x] Student slides: tenant、users、groups、roles、applications、service principals。
- [x] Student slides: Azure subscription、resource group、resource provider、Azure RBAC。
- [x] Student slides: PRT、access token、refresh token 差異。
- [x] Speaker notes: 身分平面與資源平面的講法。
- [x] Lab checkpoint: token / permission model concept exercise.
- [x] Sources:
[MS-TOKENS]、[MS-PRT]、[MS-ROLES]、[MS-CONSENT]、[MS-AZURE-RBAC]。
Phase 2 - Initial Access
- [x] Decide primary lab: controlled OAuth consent phishing checkpoint; device code remains threat context / instructor-demo candidate.
- [x] Student slides: password spraying 只做風險與 detection context,不做重度 hands-on。
- [x] Student slides: device code / OAuth / AitM 的差異與邊界。
- [x] Speaker notes: 為什麼不把 Evilginx 當主實驗,除非 John 最後確認。
- [x] Lab checkpoint: controlled OAuth flow in training tenant.
- [x] Sources:
[MS-STORM-2372]、[MS-CA-AUTH-STRENGTH]、[MS-CONSENT]、[MS-USER-CONSENT]、[MS-ADMIN-CONSENT-WORKFLOW]、[MS-DEVICE-CODE-FLOW]、[MS-IDP-RISK]。
Phase 3 - Recon and Discovery
- [x] Student slides: ROADtools / ROADrecon flow.
- [x] Student slides: AADInternals 用途與限制。
- [x] Student slides: AzureHound low-privilege visibility limits.
- [x] Speaker notes: tool choice and demo flow.
- [ ] Lab checkpoint: collect tenant data and identify candidate abuse paths. Deferred until John builds lab infra.
- [x] Sources:
[ROADTOOLS]、[AADINTERNALS]、[MITRE-AADINTERNALS]、[AZUREHOUND-DOCS]。
Phase 4 - Lateral Movement and Persistence
- [x] Student slides: application / service principal ownership abuse.
- [x] Student slides: app roles and appRoleAssignment reading.
- [x] Student slides: malicious device join / device registration persistence candidate.
- [x] Speaker notes: choose two persistence topics, keep others lecture-only.
- [ ] Lab checkpoint: app/SP abuse path with least-privilege training roles. Deferred until John builds lab infra.
- [x] Sources:
[MS-DEFAULT-PERMS]、[MS-GRAPH-APPROLE]、[MS-DEVICE-REG]、[MS-DEVICE-JOIN]。
Phase 5 - Azure Resource Abuse
- [x] Student slides: Storage Blob data role vs management plane role.
- [x] Student slides: Key Vault control plane vs data plane.
- [x] Student slides: Managed Identity token retrieval and scope.
- [x] Student slides: deployment history credential hunting boundaries.
- [x] Speaker notes: which resource abuse paths become hands-on.
- [ ] Lab checkpoint: Storage + Key Vault mandatory; Managed Identity if environment is ready. Deferred until John builds lab infra.
- [x] Sources:
[MS-STORAGE-BLOB-RBAC]、[MS-KEYVAULT-RBAC]、[MS-MANAGED-IDENTITY-VM]、[MS-ARM-DEPLOYMENT-HISTORY]。
Phase 6 - Security Boundary Discussion
- [x] Student slides: Conditional Access, MFA type, compliant device boundary.
- [x] Student slides: what each control changes in the attack chain.
- [x] Speaker notes: practical defense tradeoffs and common false confidence.
- [x] Sources:
[MS-CA-AUTH-STRENGTH]、[MS-TOKEN-PROTECTION]、[MS-DEVICE-MGMT]。
Parking Lot
- [x] Visual aid backlog: diagram list for identity/resource plane, consent flow, app/SP abuse, resource abuse, and defense mapping.
- [x] Screenshot / sanitized-output backlog: portal views and tool output as instructor teaching aids, not student submissions.
- [x] Student learning guide: consolidated handout for module questions and observation prompts, not a graded worksheet.
- [x] First-batch diagram drafts: identity/resource plane, OAuth consent, app/SP relationships, Azure management/data plane.
- [ ] Review and embed approved diagrams into the student deck.
- [ ] Cross-tenant sync abuse: lecture-only unless source and lab path are confirmed.
- [ ] Azure Lighthouse abuse: lecture-only unless source and lab path are confirmed.
- [ ] ADFS / Entra Connect Sync credential theft: optional advanced section.
- [ ] Azure SSO /
AZUREADSSOACC$: optional advanced section. - [ ] Intune / LAPS: optional advanced section.
Original Markdown source
# Slide Build Checklist
用這份 checklist 追蹤教材製作,不把未查證內容混進正式 slide。
## Phase 0 - Production Setup
- [x] 固定教材產製標準。
- [x] 建立來源對照表。
- [x] 建立 OpenSlide-ready slide skeleton。
- [x] 分離 speaker notes。
- [x] 決定 OpenSlide 實際匯入格式:Markdown direct、HTML export、或特定 JSON manifest。
## Phase 1 - Foundations
- [x] Student slides: tenant、users、groups、roles、applications、service principals。
- [x] Student slides: Azure subscription、resource group、resource provider、Azure RBAC。
- [x] Student slides: PRT、access token、refresh token 差異。
- [x] Speaker notes: 身分平面與資源平面的講法。
- [x] Lab checkpoint: token / permission model concept exercise.
- [x] Sources: `[MS-TOKENS]`、`[MS-PRT]`、`[MS-ROLES]`、`[MS-CONSENT]`、`[MS-AZURE-RBAC]`。
## Phase 2 - Initial Access
- [x] Decide primary lab: controlled OAuth consent phishing checkpoint; device code remains threat context / instructor-demo candidate.
- [x] Student slides: password spraying 只做風險與 detection context,不做重度 hands-on。
- [x] Student slides: device code / OAuth / AitM 的差異與邊界。
- [x] Speaker notes: 為什麼不把 Evilginx 當主實驗,除非 John 最後確認。
- [x] Lab checkpoint: controlled OAuth flow in training tenant.
- [x] Sources: `[MS-STORM-2372]`、`[MS-CA-AUTH-STRENGTH]`、`[MS-CONSENT]`、`[MS-USER-CONSENT]`、`[MS-ADMIN-CONSENT-WORKFLOW]`、`[MS-DEVICE-CODE-FLOW]`、`[MS-IDP-RISK]`。
## Phase 3 - Recon and Discovery
- [x] Student slides: ROADtools / ROADrecon flow.
- [x] Student slides: AADInternals 用途與限制。
- [x] Student slides: AzureHound low-privilege visibility limits.
- [x] Speaker notes: tool choice and demo flow.
- [ ] Lab checkpoint: collect tenant data and identify candidate abuse paths. Deferred until John builds lab infra.
- [x] Sources: `[ROADTOOLS]`、`[AADINTERNALS]`、`[MITRE-AADINTERNALS]`、`[AZUREHOUND-DOCS]`。
## Phase 4 - Lateral Movement and Persistence
- [x] Student slides: application / service principal ownership abuse.
- [x] Student slides: app roles and appRoleAssignment reading.
- [x] Student slides: malicious device join / device registration persistence candidate.
- [x] Speaker notes: choose two persistence topics, keep others lecture-only.
- [ ] Lab checkpoint: app/SP abuse path with least-privilege training roles. Deferred until John builds lab infra.
- [x] Sources: `[MS-DEFAULT-PERMS]`、`[MS-GRAPH-APPROLE]`、`[MS-DEVICE-REG]`、`[MS-DEVICE-JOIN]`。
## Phase 5 - Azure Resource Abuse
- [x] Student slides: Storage Blob data role vs management plane role.
- [x] Student slides: Key Vault control plane vs data plane.
- [x] Student slides: Managed Identity token retrieval and scope.
- [x] Student slides: deployment history credential hunting boundaries.
- [x] Speaker notes: which resource abuse paths become hands-on.
- [ ] Lab checkpoint: Storage + Key Vault mandatory; Managed Identity if environment is ready. Deferred until John builds lab infra.
- [x] Sources: `[MS-STORAGE-BLOB-RBAC]`、`[MS-KEYVAULT-RBAC]`、`[MS-MANAGED-IDENTITY-VM]`、`[MS-ARM-DEPLOYMENT-HISTORY]`。
## Phase 6 - Security Boundary Discussion
- [x] Student slides: Conditional Access, MFA type, compliant device boundary.
- [x] Student slides: what each control changes in the attack chain.
- [x] Speaker notes: practical defense tradeoffs and common false confidence.
- [x] Sources: `[MS-CA-AUTH-STRENGTH]`、`[MS-TOKEN-PROTECTION]`、`[MS-DEVICE-MGMT]`。
## Parking Lot
- [x] Visual aid backlog: diagram list for identity/resource plane, consent flow, app/SP abuse, resource abuse, and defense mapping.
- [x] Screenshot / sanitized-output backlog: portal views and tool output as instructor teaching aids, not student submissions.
- [x] Student learning guide: consolidated handout for module questions and observation prompts, not a graded worksheet.
- [x] First-batch diagram drafts: identity/resource plane, OAuth consent, app/SP relationships, Azure management/data plane.
- [ ] Review and embed approved diagrams into the student deck.
- [ ] Cross-tenant sync abuse: lecture-only unless source and lab path are confirmed.
- [ ] Azure Lighthouse abuse: lecture-only unless source and lab path are confirmed.
- [ ] ADFS / Entra Connect Sync credential theft: optional advanced section.
- [ ] Azure SSO / `AZUREADSSOACC$`: optional advanced section.
- [ ] Intune / LAPS: optional advanced section.