MAAD-AF Remove User Access

This module allows attackers to permanently remove an account from Azure AD, causing denial of access for that user.

CAUTION: User deletion is a permanent action and cannot be undone after testing.

Module Overview - DRAFT

NOTE TO ENABLEMENT TEAM: We may need to find a more sustainable example to use for lab users and adjust the verbiage below accordingly.

  1. From the main Attack Arsenal menu, enter 14 for Remove Access of Users. Read through the MITRE information, and press <Enter> to continue.

  2. Remove the user assigned to you for lab purposes. This action cannot be undone.

    Note that hitting enter when prompted to enter an account to remove from Azure AD will list all available accounts within the tenant.

  3. Upon successful removal of the user, a success message will display, and the attacker will be brought back to the main Attack Arsenal menu.

    MAAD Remove User Access

Validation - DRAFT

Which user was removed?