A comprehensive list of usable Entra ID first-party clients with pre-consented Microsoft Graph scopes, in a simple YAML-file explorable with a simple HTML GUI.

A collection of scripts for assessing Microsoft Azure security

A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID

PowerShell tools to help defenders hunt smarter, hunt harder.

A guide to using Azure Data Explorer and KQL for DFIR

Collection of KQL queries

ShellSweeping the evil.

Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face. #nolockdown

Azure Security Resources and Notes

Cover various security approaches to attack techniques and also provides new discoveries about security breaches.

CoffeeShot: Avoid Detection with Memory Injection

C# implementation of TokenFinder. Steal M365 access tokens from Office Desktop apps

M365/Azure adversary simulation tool that generates realistic attack telemetry to help blue teams improve their detection and response capabilities.

Initial Access and Post-Exploitation Tool for AAD and O365 with a browser-based GUI

Various resources to enhance Cobalt Strike's functionality and its ability to evade antivirus/EDR detection

Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+Bloc…

SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk

Materials for the workshop "Red Team Ops: Havoc 101"

A collection of Azure AD/Entra tools for offensive and defensive security purposes

Validates username & password combination(s) across a host or group of hosts using the SMB protocol.

Small tool to play with IOCs caused by Imageload events

Cloud Analytics helps defenders detect attacks to their cloud infrastructure by developing behavioral analytics for cloud platforms as well as a blueprint for how others can create and use cloud an…

Research into Undocumented Behavior of Azure AD Refresh Tokens

SharpShareFinder is a minimalistic network share discovery POC designed to enumerate shares in Windows Active Directory networks leveraging .NET parallelism.

A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.

A Post-exploitation Toolset for Interacting with the Microsoft Graph API