MAAD-AF Overview

MAAD-AF Logo

MAAD-AF is an adversary emulation toolkit developed by Vectra AI to perform simple, fast and effective security testing against an M365 and Azure AD tenant. Using MAAD-AF, security teams can quickly execute attacker tactics and techniques in a Microsoft 365 and Azure AD environment in order to test their detection and response capabilities for such techniques.

In case it wasn’t obvious enough already, MAAD-AF stands for Microsoft 365 and Azure AD Attack Framework. What else could it possibly be? :)

Fun facts about MAAD-AF which may interest your prospects and customers

  • MAAD-AF is built from the ground up by Vectra AI.

  • MAAD-AF uses living-off-the-land techniques leveraging native services and APIs provided by Microsoft, not exploits or 0-days which risk being patched.

  • MAAD-AF executes techniques which are leveraged by attackers. Users can be confident that they are testing their defenses against realistic activity.

  • MAAD-AF is fully open source. That means a few cool things:

    • It is free!

    • Anyone can use it!

    • Anyone can contribute to it! (and we hope you do)

    • Anyone can validate and audit the code base!

  • MAAD-AF is no setup requirement tool. Simply download and start using it.

MAAD-AF Arsenal

The following modules are available within MAAD-AF as of this lab’s creation as of (September 2022):

Module Name

MITRE Technique

Internal Recon for Azure AD

Account Discovery

Create Backdoor Admin Account

Create Account: Cloud Account

Modify Allowed IP Space

Impair Defenses

Disable Mailbox Forwarding

Impair Defenses: Disable Cloud Logs

Disable Phishing Monitoring

Impair Defenses

Hide Signs of Exchange Access

Hide Artifacts: Email Hiding Rules

Configure Exchange Mailbox Forwarding

Email Collection: Email Forwarding Rule

Enable External Teams Access

Data from Information Repositories

Use eDiscovery for Data Exfiltration

Data from Information Repositories

Brute Force a Password

Brute Force

Disable Tenant-level MFA Policies

Impair Defenses

Exploit Sharepoint

Data from Information Repositories: Sharepoint

External Recon

Active Scanning

Obfuscate Access via TOR Proxy

Proxy: Multi-hop Proxy

About this lab

In this lab, you will:

  1. Set up MAAD-AF (which is very easy)

  2. Understand the layout of the MAAD-AF tool

  3. Learn the purpose of the various modules within MAAD-AF

NOTE: MAAD-AF is a constantly evolving in its capabilities and features. This lab is designed around the latest release of MAAD-AF as of April 19, 2023. While the fundamentals taught in this lab should enable a user to confidently use any future release of MAAD-AF, note that some content within this lab may differ slightly from the latest version. In the event of major changes to the MAAD-AF tool, this lab will be updated to reflect those changes.

How to use this lab

  1. This is a hands-on lab designed to deliver a practical knowledge of attacker techniques and use of attack tools like MAAD-AF for security testing.

  2. Each MAAD-AF module roughly corresponds to one module in this lab.

  3. Each module may call out a piece of information near the end to note for validation.

  4. To successfully complete the lab, you will need to complete all the modules.

  5. Finally, the lab is self-paced, and you can expect to finish it in under an hour.