msInvader is an adversary simulation tool built for blue teams, designed to simulate adversary techniques within M365 and Azure environments. Its purpose is to generate attack telemetry that aids teams in building, testing, and enhancing detection analytics.
To facilitate realistic simulations, msInvader implements multiple authentication mechanisms that mirror different attack scenarios. It supports two OAuth flows for simulating a compromised user scenario: the resource owner password flow and the device authorization flow. These methods allow msInvader to obtain tokens simulating the compromise of a user's credentials or an successful adversary in the middle (AiTM) attack . Additionally, msInvader can replicate conditions involving compromised service principals by supporting the client credentials OAuth flow.
Once authenticated, msInvader is capable of interacting with Exchange Online through three distinct methods: the Graph API, Exchange Web Services (EWS), and the REST API utilized by the Exchange Online PowerShell module. This support enables msInvader to comprehensively simulate attack techniques, providing blue teams with the flexibility to simulate multiple scenarios.
Visit the Wiki for documentation.
| Technique | Graph | EWS | REST |
|---|---|---|---|
| read_email | X | X | |
| search_mailbox | X | ||
| search_onedrive | X | ||
| create_rule | X | X | X |
| enable_email_forwarding | X | ||
| add_folder_permission | X | X | |
| add_mailbox_delegation | X | ||
| run_compliance_search | X | ||
| create_mailflow | X |
Visit Supported Techniques on the Wiki for technique descriptions.
This section will compile public detection strategies tailored to the techniques simulated by msInvader.
- Office 365 Collection Techniques by the Splunk Threat Research Team
git clone https://github.com/mvelazc0/msInvader.git
- Open the
config.yamlfile located in the msInvader directory. - Configure the
authenticationsection with your Azure/M365 credentials. Refer to the msInvader Configuration file guide for details. - Enable and configure the desired techniques in the
techniquessection. Each technique requires specific parameters, which are detailed in the Supported Techniques documentation.
To run msInvader with your configuration file:
python msInvader.py -c config.yaml
- Mauricio Velazco - @mvelazco
This project is licensed under the Apache 2.0 License - see the LICENSE file for details