The definitive operational blueprint for Hybrid Identity and Cloud Security.
Built and Maintained with โค๏ธ in France by SERVTEP | Lead Architect: Pchelnikau Artur
The Microsoft Cybersecurity Attack, Detection & Defense Framework is a holistic repository designed to bridge the critical gap between traditional on-premises security and modern cloud-native defense.
Unlike standard checklists, this framework maps the entire adversarial lifecycle across the Hybrid Microsoft Ecosystemโfrom Active Directory to Entra ID (Azure AD), Azure Resources, and Microsoft 365. It provides a unified language for Red and Blue Teams to simulate, detect, and mitigate advanced threats.
Click above to browse the complete catalog of 501+ verified techniques.
Transform your Microsoft security across on-premises, cloud, and hybrid environments
Artur Pchelnikau โ CISO | IT Project Manager | Microsoft Security Architect | Penetration Tester | OSINT Expert
18+ years architecting & implementing secure Microsoft infrastructure at enterprise scale
Comprehensive cybersecurity consulting & program management for Active Directory | Azure | Entra ID | M365 | Hybrid Security
| Environment | Services |
|---|---|
| On-Premises | AD hardening, tiering, FSMO, forest security, Windows Server hardening |
| Cloud (Azure) | Entra ID, Zero Trust, Conditional Access (RBAC/ABAC/PBAC/ReBAC), governance |
| Hybrid | Identity sync, cross-tenant, on-prem to cloud migration, seamless security |
| Microsoft 365 | Exchange, Teams, SharePoint, OneDrive, DLP, compliance policies |
| Threat Defense | SIEM (Sentinel), EDR/NDR, SOC optimization, incident response, threat hunting |
| Advanced | AI automation, security orchestration, attack simulation, compliance frameworks |
๐ Program Leadership: Large-scale infrastructure transformation, compliance initiatives, strategic roadmaps
๐ Project Execution: Security implementation, migration planning, risk management, resource coordination
โฑ๏ธ Methodology: Agile & waterfall delivery, stakeholder alignment, phased rollout, continuous improvement
โ
Success Metrics: Timeline adherence, budget optimization, quality assurance, business alignment
๐ด Penetration Testing: Infrastructure assessment, vulnerability discovery, exploitation chains
๐ด OSINT & Reconnaissance: Deep reconnaissance, attack surface mapping, threat intelligence
๐ด Security Testing: Microsoft environment red teaming, attack simulation using MCADDF scenarios
๐ด Purple Team Exercises: Bridge offensive & defensive operations, validate detection capabilities
๐ Identity & Access: IAM, RBAC, ABAC, PBAC, ReBAC, Conditional Access
๐ก๏ธ Security Architecture: Zero Trust, defense-in-depth, risk-based design
๐ Compliance & Hardening: NIST 800-53, CIS Benchmarks, ISO 27001, STIG
๐จ Threat Intelligence: 500+ attack scenarios (MCADDF creator), detection engineering
โ๏ธ Automation & AI: Intelligent threat response, security workflows, SOAR integration
๐ฏ Red Team Expertise: Penetration testing, OSINT, attack simulation, vulnerability assessment
๐ Project Leadership: Enterprise transformation, program delivery, strategic execution
Modern enterprises do not operate in silos; they operate in hybrid states. Attackers pivot seamlessly between on-prem domain controllers and cloud tenants. This framework is built to reflect that reality.
- Hybrid-Native Focus: Deeply analyzes the synchronization points (e.g., Azure AD Connect or Microsoft Entra Connect) where most modern breaches occur.
- The SERVTEP ID System: Utilizes a proprietary navigation system for precise referencing and tracking.
- MITRE ATT&CKยฎ v18.1 Aligned: Every technique is mapped to the latest T-codes, ensuring compatibility with standard threat intelligence feeds.
- Purple Team Ready: Each entry is designed to support both Offensive Execution (Red) and Defensive Detection (Blue).
This framework goes beyond simple remediation. Every technique analyzes defense across four critical architectural layers:
| Layer | Scope of Analysis |
|---|---|
| Identity & Access | RBAC/ABAC models, Conditional Access policies, PIM (Privileged Identity Management), and Tiered Admin models. |
| Network Security | NSG (Network Security Groups), Azure Firewall, Private Links, and Segmentation strategies. |
| Data Governance | Azure Purview labeling, DLP (Data Loss Prevention) policies, and Information Protection controls. |
| Monitoring | Microsoft Sentinel (KQL), Splunk (SPL), Sysmon (XML), and Unified Audit Logs. |
To simplify navigation across 500+ techniques, we have developed a proprietary logical identifier system. This allows practitioners to instantly recognize the Tactic, Target Technology, and Specific Vector just by reading the ID.
The ID follows the syntax: [TACTIC]-[TECHNOLOGY]-[INDEX]
Example:
REC-AD-001
- REC: Tactic Category (Reconnaissance)
- AD: Target Technology (Active Directory)
- 001: Unique Identifier
These codes define the specific environment or technology stack targeted by the technique.
| Code | Target Environment | Scope & Examples |
|---|---|---|
| AD | Active Directory (On-Prem) | Domain Controllers, LDAP, Kerberos, DNS, GPO, LAPS |
| CLOUD | Azure & Entra ID | App Registrations, Service Principals, Key Vaults, Azure Resources |
| M365 | Microsoft 365 SaaS | Exchange Online, SharePoint, Teams, Graph API, OneDrive |
| HYBRID | Sync Architecture | Azure AD Connect, Microsoft Entra Connect, PHS, PTA, Federation (ADFS), Seamless SSO |
| PHISH | Social Engineering | OAuth Consent Grants, Device Code Phishing, Branding Spoofing |
| EXPLOIT | Vulnerability Exploitation | CVEs, Deserialization, Logic Apps, Unpatched Services |
| CERT | Certificate Services | ADCS (Active Directory Certificate Services), ESC1-ESC16, CA Misconfigs |
| CONTAINER | Cloud Native | Azure Kubernetes Service (AKS), Kubelet API, Docker, Pod Escape |
| SQL | Database Services | Azure SQL, MSSQL, Data Exfiltration, SQL Injection |
| ENDO | Endpoint / OS | Windows 10/11, Server OS, Local Security Authority (LSA) |
The repository is organized into 9 primary tactical categories, fully aligned with the Cyber Kill Chain and MITRE ATT&CK.
| Category Code | Name | Description & Sub-Categories |
|---|---|---|
| REC | Reconnaissance | Discovery of tenants, domains, and privileges. โข REC-AD (LDAP Analysis, BloodHound)โข REC-CLOUD (Tenant Enum, ROADtools)โข REC-CERT (ADCS Enum) |
| IA | Initial Access | Gaining the first foothold. โข IA-PHISH (Device Code, Consent Grant)โข IA-EXPLOIT (Public Facing Exploits)โข IA-VALID (Password Spraying) |
| CA | Credential Access | Stealing keys to the kingdom. โข CA-DUMP (LSASS, DCSync)โข CA-KERB (Kerberoasting, AS-REP Roasting)โข CA-TOKEN (PRT Theft, Primary Refresh Token) |
| PE | Privilege Escalation | Elevating rights from User to Admin. โข PE-AD (ACL Abuse, AdminSDHolder)โข PE-CLOUD (Role Escalation, PIM Abuse)โข PE-CERT (ADCS ESC Techniques) |
| DE | Defense Evasion | Hiding from SIEM and EDR. โข DE-LOG (Event Log Clearing)โข DE-TOKEN (Impersonation, Token Manipulation)โข DE-AMSI (AMSI/ETW Bypassing) |
| LM | Lateral Movement | Pivoting across the hybrid boundary. โข LM-AD (Pass-the-Hash/Ticket)โข LM-HYBRID (Cloud Pivoting, Hybrid Join)โข LM-CLOUD (Admin Tier Hopping) |
| PERS | Persistence | Maintaining long-term access. โข PERS-AD (Golden Ticket, Skeleton Key)โข PERS-CLOUD (Service Principals, Automation Accounts)โข PERS-HYBRID (Golden SAML) |
| EX | Exfiltration | Stealing the data. โข EX-M365 (SharePoint/OneDrive Collection)โข EX-SQL (Database Dump)โข EX-AUTO (Power Automate Exfiltration) |
| IMP | Impact | Destruction and disruption. โข IMP-RANSOM (Encryption)โข IMP-DOS (Denial of Service)โข IMP-DESTROY (Resource Deletion) |
Use this repository as a comprehensive "cheat sheet" for campaign planning. The SERVTEP IDs allow you to chain techniques logically (e.g., REC-AD-001 โ CA-DUMP-002 โ LM-HYBRID-003) to simulate realistic APT behaviors.
Use the framework for Gap Analysis. Select a technique ID (e.g., IA-PHISH-002), simulate it, and verify if your SIEM/EDR triggers the expected alert.
Utilize the index to audit your environment's exposure. Prioritize remediation based on the "Technique Severity" and prevalence noted in the documentation.
This is a living framework. As the Microsoft ecosystem evolves, so do the threats. We welcome contributions from the community to keep this repository at the cutting edge.
- Fork the repository.
- Create a branch for your technique or update.
- Submit a Pull Request with a detailed description.
EDUCATIONAL AND DEFENSIVE USE ONLY
The contents of this repository are for authorized security testing, educational purposes, and defensive research. The techniques listed involve mechanisms that can disrupt critical business operations or bypass security controls.
SERVTEP and Pchelnikau Artur accept no liability for any damage caused by the misuse of this information. Users are responsible for ensuring all activities are conducted within the scope of a signed Rule of Engagement (RoE) and in compliance with all applicable local, federal, and international laws.
This project is licensed under the terms of the LICENSE file.
Built with โค๏ธ in France by SERVTEP