msInvader is an adversary simulation tool designed for blue teams to simulate real-world attack techniques within M365 and Azure environments. By generating realistic attack telemetry, msInvader empowers detection engineers, SOC analysts, and threat hunters to assess, enhance, and strengthen their detection and response capabilities.
msInvader supports simulating techniques in two common attack scenarios: a compromised user account or a compromised service principal. These scenarios are critical for understanding how adversaries operate after obtaining initial access, allowing teams to simulate post-compromise behaviors and validate their detection and response mechanisms. For user account scenarios, msInvader uses the resource owner password and device authorization OAuth flows to obtain tokens, simulating attacks such as credential compromise (e.g., phishing or password spraying attacks) or MFA bypass (e.g., adversary-in-the-middle (AiTM) or token theft attacks). For compromised service principals, it leverages the client credentials OAuth flow to replicate unauthorized application access.
Once authenticated, msInvader interacts with Exchange Online using three methods: the Graph API, Exchange Web Services (EWS), and the REST API used by the Exchange Online PowerShell module. This flexibility allows blue teams to simulate a wide range of attack techniques across multiple scenarios.
Visit the Wiki for documentation.
| Technique | Graph | EWS | REST |
|---|---|---|---|
| read_email | X | X | |
| search_mailbox | X | ||
| search_onedrive | X | ||
| create_rule | X | X | X |
| enable_email_forwarding | X | ||
| add_folder_permission | X | X | |
| add_mailbox_delegation | X | ||
| run_compliance_search | X | ||
| create_mailflow | X |
For a full list of available techniques, visit Supported Techniques on the Wiki.
This section will compile public detection strategies tailored to the techniques simulated by msInvader.
- Office 365 Collection Techniques by the Splunk Threat Research Team
git clone https://github.com/mvelazc0/msInvader.git
- Open the
config.yamlfile located in the msInvader directory. - Customize the configuration file to meet your needs. Refer to the msInvader Configuration file guide for details.
- Enable and configure the desired techniques in the
playbookssection. Each technique requires specific parameters, which are detailed in the Supported Techniques documentation.
To run msInvader with your configuration file:
python msInvader.py -c config.yaml
- Mauricio Velazco - @mvelazco
This project is licensed under the Apache 2.0 License - see the LICENSE file for details