.. role:: html(raw)
   :format: html

.. title:: MAAD Attack Framework


.. toctree::
   :maxdepth: 2
   :caption: MAAD Attack Framework (MAAD-AF)
   :name: _maad_af
   :hidden:

   maad_overview/maad_overview
   maad_fundamentals/maad_fundamentals
   maad_cloning/maad_cloning
   maad_launch/maad_launch

.. toctree::
   :maxdepth: 2
   :caption: MAAD-AF - Modules
   :name: _maad_af_modules
   :hidden:

   maad_recon_azure_ad/maad_recon_azure_ad
   maad_redundant_access/maad_redundant_access
   maad_trusted_ip/maad_trusted_ip
   maad_disable_mbox_auditing/maad_disable_inbox_auditing
   maad_disable_anti_phish/maad_disable_anti_phish
   maad_inbox_rules/maad_inbox_rules
   maad_mbox_forwarding_exfil/maad_mbox_forwarding_exfil
   maad_user_mbox_access/maad_user_mbox_access
   maad_external_teams_access/maad_external_teams_access
   maad_ediscovery_exfil/maad_ediscovery_exfil
   maad_password_brute_force/maad_password_brute_force
   maad_disable_tenant_mfa/maad_disable_tenant_mfa
   maad_sharepoint_exfil/maad_sharepoint_exfil
   maad_remove_user_access/maad_remove_user_access
   maad_external_recon/maad_external_recon

.. toctree::
   :maxdepth: 2
   :caption: MAAD-AF - Advanced Anger
   :name: _maad_af_advanced
   :hidden:

   maad_obfuscate_over_tor/maad_obfuscate_over_tor
   maad_credential_storage/maad_credential_storage      

.. toctree::
   :maxdepth: 2
   :caption: Reference
   :name: _reference
   :hidden:



.. _welcome:

.. figure:: ./images/MAAD_AF.png
   :alt: MAAD-AF

--------------------------------
Welcome!
--------------------------------

MAAD-AF is an adversary emulation toolkit developed by Vectra AI to perform 
simple, fast and effective security testing against an M365 and Azure AD
tenant. Using MAAD-AF, security teams can quickly execute attacker tactics and
techniques in a Microsoft 365 and Azure AD environment in order to test their 
detection and response capabilities for such techniques.

In case it wasn't obvious enough already, MAAD-AF stands for **M**icrosoft 365 
and **A**zure **AD** **A**ttack **F**ramework.  What else could it possibly 
be? :)

.. note::

   Fun facts about MAAD-AF which may interest your prospects and customers

   -	MAAD-AF is built from the ground up by [Vectra AI](https://www.vectra.ai).
   - MAAD-AF uses living-off-the-land techniques leveraging native services and
   APIs provided by Microsoft, not exploits or 0-days which risk being patched.
   - MAAD-AF executes techniques which are leveraged by attackers. Users can be 
   confident that they are testing their defenses against realistic activity.
   - MAAD-AF is fully open source. That means a few cool things: 
       - It is free!
       - Anyone can use it!
       - Anyone can contribute to it! (and we hope you do)
       - Anyone can validate and audit the code base! 
   - MAAD-AF is no setup requirement tool. Simply download and start using it. 

MAAD-AF Arsenal
===============

The following modules are available within MAAD-AF as of this lab's creation 
as of (September 2022):

| Module Name | MITRE Technique |
|-------------|-----------------|
| Internal Recon for Azure AD | [Account Discovery](https://attack.mitre.org/techniques/T1087/) |
| Create Backdoor Admin Account | [Create Account: Cloud Account](https://attack.mitre.org/techniques/T1136/003/) |
| Modify Allowed IP Space | [Impair Defenses](https://attack.mitre.org/techniques/T1562/) |
| Disable Mailbox Forwarding | [Impair Defenses: Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008/) |
| Disable Phishing Monitoring | [Impair Defenses](https://attack.mitre.org/techniques/T1562/) |
| Hide Signs of Exchange Access | [Hide Artifacts: Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008/) |
| Configure Exchange Mailbox Forwarding | [Email Collection: Email Forwarding Rule](https://attack.mitre.org/techniques/T1114/003/) |
| Enable External Teams Access | [Data from Information Repositories](https://attack.mitre.org/techniques/T1213/) |
| Use eDiscovery for Data Exfiltration | [Data from Information Repositories](https://attack.mitre.org/techniques/T1213/) |
| Brute Force a Password | [Brute Force](https://attack.mitre.org/techniques/T1110/) |
| Disable Tenant-level MFA Policies | [Impair Defenses](https://attack.mitre.org/techniques/T1562/) |
| Exploit Sharepoint | [Data from Information Repositories: Sharepoint](https://attack.mitre.org/techniques/T1213/002/) |
| External Recon | [Active Scanning](https://attack.mitre.org/techniques/T1595/) |
| Obfuscate Access via TOR Proxy | [Proxy: Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003/) | 


About This Lab
===============

In this lab, you will:

#. Set up MAAD-AF (which is very easy)
#. Understand the layout of the MAAD-AF tool
#. Learn the purpose of the various modules within MAAD-AF

.. note:: 
   
   MAAD-AF is a constantly evolving in its capabilities and features. 
   This lab is designed around the latest release of MAAD-AF as of 
   **April 19, 2023**. While the fundamentals taught in this lab should enable
   a user to confidently use any future release of MAAD-AF, note that some
   content within this lab may differ slightly from the latest version.  In the
   event of major changes to the MAAD-AF tool, this lab will be updated to 
   reflect those changes.

How To Use This Lab
===================

#. This is a hands-on lab designed to deliver a practical knowledge of attacker
   techniques and use of attack tools like MAAD-AF for security testing. 
#. Each MAAD-AF module roughly corresponds to one module in this lab.
#. Each module may call out a piece of information near the end to note for
   validation.
#. To successfully complete the lab, you will need to complete all the modules. 
#. Finally, the lab is self-paced, and you can expect to finish it in under an 
   hour.