You should get MAAD-AF about emulating attacks – it goes a long way

February 15, 2023
Arpan Sarkar
Senior Technical Marketing Engineer
You should get MAAD-AF about emulating attacks – it goes a long way

When a user's identity is compromised, what can an attacker do? The answer is just about anything. With access to an enterprise environment, an attacker can steal data from SaaS applications, including high-value Microsoft 365 data stores like SharePoint, Teams, and Exchange, as well as applications like Salesforce and ADP, and conduct campaigns against federated cloud service providers and hybrid network environments.  

Defenders need to respond to and stop identity-focused attacks against Azure AD and M365 before damage can be done. Prevention mechanisms like employee education, MFA, and a well-crafted Conditional Access Policy help, but attackers consistently find their way in. But first, an understanding of what an attacker does, once they are in your environment is critical to stopping them when preventative measures are bypassed. So, what do you do about that?

Security teams need the right tools to test cloud security controls in ways that emulate real attacker behavior to understand the gaps and ensure they have the proper visibility to stop an attacker. In my experience, this is what drives resilience. Ensuring a resilient cloud configuration with the right detection mechanisms to detect and respond in time can help mitigate and prevent damage from a breach.  Now, when you think about adversaries exploiting security gaps, questionable resilience, and visibility you may be lacking — it is time to get mad, and MAAD-AF!!

What is MAAD AF aka M365 & Azure AD Attack Framework

MAAD-AF (an acronym for Microsoft 365 & Azure AD Attack Framework) is an open-source cloud attack framework developed to test the security of Microsoft 365 and Azure AD environments through adversary emulation. MAAD-AF is designed to make cloud security testing simple, fast and effective for security practitioners by providing an intuitive testing tool and focusing on the most critical areas.  

MAAD-AF offers various easy-to-use attack modules to exploit configuration flaws across different M365/Azure AD cloud-based tools and services — with the ability to easily integrate and add new modules over time.  Through its virtually no-setup requirement and interactive attack modules, security teams can test their cloud security controls, detection capabilities and response mechanisms easily and swiftly.  This is something to think about when considering a new tool to fill security gaps.

With MAAD-AF, security teams can easily emulate real attacker tactics and techniques to progress through a compromised M365 and Azure AD environment. This can help identify gaps in existing configurations and detection and response capabilities to ultimately harden the cloud environment's security. Try it out yourself!

What Makes MAAD-AF Good

MAAD-AF is a post-compromise and pre-compromise exploitation tool

Its interactive modules allow users to exploit Microsoft 365 and Azure AD configuration flaws from a single simple-to-use interface.

MAAD-AF's post-compromise modules employ living-off-the-land techniques

MAAD-AF's uses the inherent functionality of Microsoft cloud services to execute actions in the target environment.  

MAAD-AF supports pre-compromise actions such as initial reconnaissance and credential brute force

For those interested in other compromise techniques, we highly recommend AADInternals and PowerZure — two tools that helped inspire the development of the MAAD attack framework.

The techniques included in MAAD-AF are based on the active behaviors that threat actors perform during attacks against Azure AD and M365 environments. MAAD-AF keeps security testing simple and effective by focusing modules on the commonly used techniques and exploitation of key and frequently targeted Microsoft cloud services.  

MAAD-AF also features virtually no-setup requirements

Users can download the tool from MAAD-AF's github repo and start testing. All dependencies needed can be handled directly by MAAD-AF.  Additionally, we've created a free identity exposure gap analysis to help teams understand their current risk.

Try it out Yourself

MAAD is open-source, and everyone is invited to use it and contribute to its development. We welcome everyone to join MAAD’s mission and contribute in any way possible. Send your great ideas, feature requests, report bugs/issues or contribute directly by writing new attack modules for the MAAD Library.  

Learn more about how the MAAD-AF framework can test the security of cloud environments by watching the on-demand webinar on Identity Based Attacks.

You can also read the over on MAAD-AF attack modules and the core components, installation, and setup.

Here's to making security testing simple, fast and effective!

Get MAAD-AF from  MAAD-AF Github Repository.