MAAD-AF Fundamentals

This module does not have any steps to perform, but does contain broad information about MAAd-AF which will allow an operator to better understand the concepts behind it.

Modularity

Think of MAAD-AF as a wall made of several bricks. It’s easy to add more bricks to grow the wall as needed in the future, and if one brick fails, it’s unlikely that the whole wall will come down.

In the same way, MAAD-AF is constructed of several modules which are independent of one another. This allows for the following advantages:

  1. New attack modules/capabilities/features can be easily added to MAAD-AF

  2. Even if an existing module fails, it is unlikely that the whole tool will break as a result. The module can be tried again, or the user could move on to a new technique entirely.

Ease of use

The premise of MAAD-AF is to enable easy and fast security testing of M365 and Azure AD. To accomplish this goal, the tool is designed to perform all the tasks itself, requiring only simple menu options for a user to choose from. This means that there is no requirement for a user to learn specific commands to be entered at the command prompt.

MAAD-AF is fully interactive and designed to be robust. It will prompt users for required information, handle input validation, and managed all the backend communication with the various Microsoft services which it interacts with automatically, including failover to secondary techniques whenever possible.

Identity is key

MAAD-AF is a post-compromise tool; it is to be used with a known set of Azure AD credentials. This showcases what a determined attacker is capable of if a given identity, with its access and privileges, is compromised.

MAAD-AF will prompt for initial credentials and use those to establish further access, escalate privileges if possible, and continue access using its various arsenal modules.

Leave nothing but footprints

MAAD-AF offers an undo option at the end of each attack technique (menu option) which will revert the changes made in the environment. This is an effort to reduce the impact on the M365 and Azure AD environment due to tests performed.

NOTE: Some attack modules will not contain the cleanup option where it’s not possible, for instance deleting an account (which cannot be undone).