Skip to content

M365/Azure adversary simulation tool designed to simulate adversary techniques and generate attack telemetry.

License

Notifications You must be signed in to change notification settings

mvelazc0/msInvader

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

79 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

msInvader

Open_Threat_Research Community

msInvader logo

msInvader is an adversary simulation tool built for blue teams, designed to simulate adversary techniques within M365 and Azure environments. Its purpose is to generate attack telemetry that aids teams in building, testing, and enhancing detection analytics.

To facilitate realistic simulations, msInvader implements multiple authentication mechanisms that mirror different attack scenarios. It supports two OAuth flows for simulating a compromised user scenario: the resource owner password flow and the device authorization flow. These methods allow msInvader to obtain tokens simulating the compromise of a user's credentials or an successful adversary in the middle (AiTM) attack . Additionally, msInvader can replicate conditions involving compromised service principals by supporting the client credentials OAuth flow.

Once authenticated, msInvader is capable of interacting with Exchange Online through three distinct methods: the Graph API, Exchange Web Services (EWS), and the REST API utilized by the Exchange Online PowerShell module. This support enables msInvader to comprehensively simulate attack techniques, providing blue teams with the flexibility to simulate multiple scenarios.

Documentation

Visit the Wiki for documentation.

Demo

msInvader

Supported Techniques

Technique Graph EWS REST
read_email X X
search_mailbox X
search_onedrive X
create_rule X X X
enable_email_forwarding X
add_folder_permission X X
add_mailbox_delegation X
run_compliance_search X
create_mailflow X

Visit Supported Techniques on the Wiki for technique descriptions.

Detections

This section will compile public detection strategies tailored to the techniques simulated by msInvader.

Quick Start Guide

Step 1 : Clone repository

git clone https://github.com/mvelazc0/msInvader.git

Step 2: Customize configuration file

  1. Open the config.yaml file located in the msInvader directory.
  2. Configure the authentication section with your Azure/M365 credentials. Refer to the msInvader Configuration file guide for details.
  3. Enable and configure the desired techniques in the techniques section. Each technique requires specific parameters, which are detailed in the Supported Techniques documentation.

Step 3: Run msInvader

To run msInvader with your configuration file:

python msInvader.py -c config.yaml

Author

References

License

This project is licensed under the Apache 2.0 License - see the LICENSE file for details

About

M365/Azure adversary simulation tool designed to simulate adversary techniques and generate attack telemetry.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages