Skip to content
/ msInvader Public

M365/Azure adversary simulation tool that generates realistic attack telemetry to help blue teams improve their detection and response capabilities.

License

Apache-2.0 license
227 stars 13 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mvelazc0/msInvader

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

104 Commits
img
img
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config.yml
config.yml
 
 
msInvader.py
msInvader.py
 
 

Repository files navigation

msInvader

Open_Threat_Research Community

msInvader logo

msInvader is an adversary simulation tool designed for blue teams to simulate real-world attack techniques within M365 and Azure environments. By generating realistic attack telemetry, msInvader empowers detection engineers, SOC analysts, and threat hunters to assess, enhance, and strengthen their detection and response capabilities.

msInvader supports simulating techniques in two common attack scenarios: a compromised user account or a compromised service principal. These scenarios are critical for understanding how adversaries operate after obtaining initial access, allowing teams to simulate post-compromise behaviors and validate their detection and response mechanisms. For user account scenarios, msInvader uses the resource owner password and device authorization OAuth flows to obtain tokens, simulating attacks such as credential compromise (e.g., phishing or password spraying attacks) or MFA bypass (e.g., adversary-in-the-middle (AiTM) or token theft attacks). For compromised service principals, it leverages the client credentials OAuth flow to replicate unauthorized application access.

Once authenticated, msInvader interacts with Exchange Online using three methods: the Graph API, Exchange Web Services (EWS), and the REST API used by the Exchange Online PowerShell module. This flexibility allows blue teams to simulate a wide range of attack techniques across multiple scenarios.

Documentation

Visit the Wiki for documentation.

Demo

msInvader

Supported Techniques

Technique Graph EWS REST
read_email X X
search_mailbox X
search_onedrive X
create_rule X X X
enable_email_forwarding X
add_folder_permission X X
add_mailbox_delegation X
run_compliance_search X
create_mailflow X

For a full list of available techniques, visit Supported Techniques on the Wiki.

Detections

This section will compile public detection strategies tailored to the techniques simulated by msInvader.

Quick Start Guide

Step 1 : Clone repository

git clone https://github.com/mvelazc0/msInvader.git

Step 2: Customize configuration file

  1. Open the config.yaml file located in the msInvader directory.
  2. Customize the configuration file to meet your needs. Refer to the msInvader Configuration file guide for details.
  3. Enable and configure the desired techniques in the playbooks section. Each technique requires specific parameters, which are detailed in the Supported Techniques documentation.

Step 3: Run msInvader

To run msInvader with your configuration file:

python msInvader.py -c config.yaml

Author

References

License

This project is licensed under the Apache 2.0 License - see the LICENSE file for details

About

M365/Azure adversary simulation tool that generates realistic attack telemetry to help blue teams improve their detection and response capabilities.

Topics

threat-hunting purple-team adversary-simulation

Resources

Readme

License

Apache-2.0 license
Activity

Stars

227 stars

Watchers

3 watching

Forks

13 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages