Welcome!¶
MAAD-AF is an adversary emulation toolkit developed by Vectra AI to perform simple, fast and effective security testing against an M365 and Azure AD tenant. Using MAAD-AF, security teams can quickly execute attacker tactics and techniques in a Microsoft 365 and Azure AD environment in order to test their detection and response capabilities for such techniques.
In case it wasn’t obvious enough already, MAAD-AF stands for M**icrosoft 365 and **A**zure **AD **A**ttack **F**ramework. What else could it possibly be? :)
Note
Fun facts about MAAD-AF which may interest your prospects and customers
MAAD-AF is built from the ground up by [Vectra AI](https://www.vectra.ai).
MAAD-AF uses living-off-the-land techniques leveraging native services and
APIs provided by Microsoft, not exploits or 0-days which risk being patched. - MAAD-AF executes techniques which are leveraged by attackers. Users can be confident that they are testing their defenses against realistic activity. - MAAD-AF is fully open source. That means a few cool things:
It is free!
Anyone can use it!
Anyone can contribute to it! (and we hope you do)
Anyone can validate and audit the code base!
MAAD-AF is no setup requirement tool. Simply download and start using it.
MAAD-AF Arsenal¶
The following modules are available within MAAD-AF as of this lab’s creation as of (September 2022):
|-------------|—————–| | Internal Recon for Azure AD | [Account Discovery](https://attack.mitre.org/techniques/T1087/) | | Create Backdoor Admin Account | [Create Account: Cloud Account](https://attack.mitre.org/techniques/T1136/003/) | | Modify Allowed IP Space | [Impair Defenses](https://attack.mitre.org/techniques/T1562/) | | Disable Mailbox Forwarding | [Impair Defenses: Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008/) | | Disable Phishing Monitoring | [Impair Defenses](https://attack.mitre.org/techniques/T1562/) | | Hide Signs of Exchange Access | [Hide Artifacts: Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008/) | | Configure Exchange Mailbox Forwarding | [Email Collection: Email Forwarding Rule](https://attack.mitre.org/techniques/T1114/003/) | | Enable External Teams Access | [Data from Information Repositories](https://attack.mitre.org/techniques/T1213/) | | Use eDiscovery for Data Exfiltration | [Data from Information Repositories](https://attack.mitre.org/techniques/T1213/) | | Brute Force a Password | [Brute Force](https://attack.mitre.org/techniques/T1110/) | | Disable Tenant-level MFA Policies | [Impair Defenses](https://attack.mitre.org/techniques/T1562/) | | Exploit Sharepoint | [Data from Information Repositories: Sharepoint](https://attack.mitre.org/techniques/T1213/002/) | | External Recon | [Active Scanning](https://attack.mitre.org/techniques/T1595/) | | Obfuscate Access via TOR Proxy | [Proxy: Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003/) |
About This Lab¶
In this lab, you will:
Set up MAAD-AF (which is very easy)
Understand the layout of the MAAD-AF tool
Learn the purpose of the various modules within MAAD-AF
Note
MAAD-AF is a constantly evolving in its capabilities and features. This lab is designed around the latest release of MAAD-AF as of April 19, 2023. While the fundamentals taught in this lab should enable a user to confidently use any future release of MAAD-AF, note that some content within this lab may differ slightly from the latest version. In the event of major changes to the MAAD-AF tool, this lab will be updated to reflect those changes.
How To Use This Lab¶
This is a hands-on lab designed to deliver a practical knowledge of attacker techniques and use of attack tools like MAAD-AF for security testing.
Each MAAD-AF module roughly corresponds to one module in this lab.
Each module may call out a piece of information near the end to note for validation.
To successfully complete the lab, you will need to complete all the modules.
Finally, the lab is self-paced, and you can expect to finish it in under an hour.