# Technique 3: Defense Evasion
Follow the now familiar approach to trigger a defense evasion technique.
In this section you will attempt to evade defenses in the target environment. 

By now you are confident in how to trigger a technique in MAAD-AF.

`MAAD Attack Arsenal -> Type Module name -> Enter Sub-Module # choice -> Follow prompts to execute technique`

In this section you need to execute: 
`AzureAD -> (1) Modify Trusted IP Config`

Try to execute this on your own using what you have learnt so far. If you need assistance follow the steps below. 

## Step 1: Select AzureAD Module
In Attack Arsenal menu, select the `AzureAD` module by typing "azuread" and hitting `enter`. 
```
Note: Module names are case-insensitive. 
You dont have to type them exactly as they appear in the MAAD Attack Arsenal menu.
```

## Step 2: Select Backdoor Sub-Module
The sub-modules menu lists specific actions you can execute using MAAD-AF. In this case the different sub-module options list actions that users can take in Azure AD (Entra ID) for example things like changing environment configuration or deploying new configurations to achieve a certain objective.

For this section of the lab you want to modify trusted IP configuration to bypass any location based conditional access policy in the Entra ID environment. 

Select option `1` by typing "1" and hitting `enter`.
![defense_evasion_start](images/defense_evasion_start.png)

## Step 3: Deploy Backdoor
Follow the on-screen prompts in tool to configure your IP as the trusted IP location in the Entra ID environment. 

- Prompt **Enter a name for the new trusted network policy** : Here type a policy name specific to you. So something like `yourname-home-ip-policy`
- Prompt **Enter IP to add as trusted named location** : Here type any IPv4 address to set it as the trusted IP in the environment. Example: `169.101.147.9`. You can also leave this blank and press `enter` which will prompt MAAD-AF to automatically query your current public IP address and use that to configure the trusted IP (cool right?) 
- Press `Enter` to continue deployment of the configuration
- Watch MAAD-AF create a config with the parameters you provided and deploy trusted IP config in the target Entra ID environment. 
- Upon completion, a summary of the newly deployed configuration is displayed.
![defense_evasion_process](images/defense_evasion_process.png)
- Prompt **Would you like to undo changes by deleting the new trusted location policy?** : Answer "no" for the purpose of this lab. If you answer "yes", MAAD-AF will delete the trusted IP configuration that was just deployed. 
![defense_evasion_undo](images/defense_evasion_undo.png)
```
Note:
MAAD-AF, for most modules, will prompt to offer undo of the actions executed by the technique. 
This is another built-in capability of MAAD-AF specially useful in security testings like this 
to minimize the impact of running attack techniques in an environment. 

Its good to take a note of this capability as this is something your prospects/customers might be interested in knowing 
when you are pitching red teaming in their environment with MAAD-AF.

MAAD-AF will also explicity warn you know if an action cannot be reverted,
so you can choose to execute it or not. 
For example, when deleting an entity in the environment to cause impact. 
```

## Checkpoint: 4
**Congratulations on evading defenses**. You are really good at this attack thing. Vectra is good at catching so we will know if you successfully evaded the defenses in the environment ;)