| AADInternals |
AADInternals is PowerShell module for administering Azure AD and Office 365 |
Gerenios/AADInternals: AADInternals |
AAD Internals (aadinternals.com) |
| Azure AD Incident Response PowerShell Module |
The Azure Active Directory Incident Response PowerShell module provides a number of tools, developed by the Azure Active Directory Product Group in conjunction with the Microsoft Detection and Response Team (DART), to assist in compromise response. |
AzureAD/Azure-AD-Incident-Response-PowerShell-Module |
 |
| Entra ID Security Config Analyzer (EIDSCA) |
Logic App solution to ingest configuration data of Azure AD to Log Analytics for monitoring and strengthen identity security posture. |
Cloud-Architekt/AzureAD-Attack-Defense |
 |
| azbelt |
Standalone DLL and sliver extension for enumerating Azure related credentials, primarily on AAD joined machines |
daddycocoaman/azbelt |
 |
| AppTotal |
Analyze suspicious OAuth apps, browser extensions and SaaS add-ons to detect harmful apps, risky permissions and other security issues. |
AppTotal.io |
 |
| AzureHound |
The BloodHound data collector for Microsoft Azure |
BloodHoundAD/AzureHound |
Automating Things 0x01 – AzureHound for blue teams |
| AzTokenFinder |
Is a small tool to extract JWT (or JWT like looking data) from different processes, like PowerShell, Excel, Word or others. |
HackmichNet/AzTokenFinder |
 |
| AzureRT |
Helpful utilities dealing with access token based authentication, switching from Az to AzureAD  and az cli interfaces, easy to use pre-made attacks such as Runbook-based command execution and more. |
mgeeky/AzureRT: AzureRT |
 |
| BAADTokenBroker |
BAADTokenBroker is a post-exploitation tool designed to leverage device-stored keys (Device key, Transport key etc..) to authenticate to Microsoft Entra ID. |
[secureworks/BAADTokenBroker |
 |
| BadZure |
BadZure is a PowerShell script that leverages the Microsoft Graph SDK to orchestrate the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths. |
mvelazc0/BadZure |
 |
| Bloodhound |
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment. |
BloodHoundAD/BloodHound |
BloodHound: Six Degrees of Domain Admin |
| BloodHound Attack Research Kit /BARK) |
BARK stands for BloodHound Attack Research Kit. It is a PowerShell script built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. BARK currently focuses on Microsoft’s Azure suite of products and services. |
BloodHoundAD/BARK: BloodHound |
 |
| BloodHound Attack Research Kit /BARK) |
BARK stands for BloodHound Attack Research Kit. It is a PowerShell script built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. BARK currently focuses on Microsoft’s Azure suite of products and services. |
BloodHoundAD/BARK: BloodHound |
 |
| Cloud Katana |
Cloud Katana is a cloud native tool developed from the need to automate the execution of simulation steps in multi-cloud and hybrid cloud environments. This tool is an event-driven, serverless compute application built on the top of Azure Functions that expedites the research process and assessment of security controls. We are currently covering use cases in Azure, but we are working on extending it to other cloud providers. |
Azure/Cloud-Katana |
 |
| Forest Druid |
Free Tier 0 attack path discovery tool for Active Directory environments by Semperis |
Forest Druid |
Closing Attack Paths to Tier 0 Assets with Forest Druid |
| GraphRunner |
Post-exploitation toolset for interacting with the Microsoft Graph API. It provides various tools for performing reconnaissance, persistence, and pillaging of data from a Microsoft Entra ID (Azure AD) account. |
dafthack/GraphRunner |
Introducing GraphRunner: A Post-Exploitation Toolset for Microsoft 365 |
| GraphSpy |
Initial Access and Post-Exploitation Tool for AAD and O365 with a browser-based GUI |
RedByte1337/GraphSpy |
GraphSpy – The swiss army knife for attacking M365 & Entra |
| MAAD Attack Framework |
MAAD-AF is an open-source cloud attack tool developed for testing security of Microsoft 365 & Azure AD environments through adversary emulation. MAAD-AF provides security practitioners easy to use attack modules to exploit configurations across different M365/AzureAD cloud-based tools & services. |
vectra-ai-research/MAAD-AF |
 |
| Mandiant Azure AD Investigator |
This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. Some indicators are “high-fidelity” indicators of compromise, while other artifacts are so called “dual-use” artifacts. Dual-use artifacts may be related to threat actor activity, but also may be related to legitimate functionality. |
mandiant/Mandiant-Azure-AD-Investigator |
 |
| MicroBurst |
MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping. It is intended to be used during penetration tests where Azure is in use. |
NetSPI/MicroBurst |
Various blog posts on: https://www.netspi.com/blog/ |
| Monkey365 |
Monkey365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex admin panels from the start. To help with this effort, Monkey365 also provides several ways to identify security gaps in the desired tenant setup and configuration. Monkey365 provides valuable recommendations on how to best configure those settings to get the most out of your Microsoft 365 tenant or Azure subscription. |
silverhack/monkey365 |
 |
| msInvader |
msInvader is an adversary simulation tool designed for blue teams to simulate real-world attack techniques within M365 and Azure environments. By generating realistic attack telemetry, msInvader empowers detection engineers, SOC analysts, and threat hunters to assess, enhance, and strengthen their detection and response capabilities. |
mvelazc0/msInvader |
 |
| ROADtools |
ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool. |
dirkjanm/ROADtools |
Introducing ROADtools - The Azure AD exploration framework - dirkjanm.io |
| PurpleKnight |
Semperis built Purple Knight—a free AD and Azure AD security assessment tool—to help you discover indicators of exposure (IoEs) and indicators of compromise (IoCs) in your hybrid AD environment. |
PurpleKnight Community |
Purple Knight Introduces Azure AD Security Indicators |
| RedCloud OS |
RedCloud OS is a Debian based Cloud Adversary Simulation Operating System for Red Teams to assess the security of leading Cloud Service Providers (CSPs). It includes tools optimized for adversary simulation tasks within AWS, Azure and GCP. |
RedTeamOperations/RedCloud-OS |
 |
| onedrive_user_enum |
Python script to enumerate valid OneDrive users |
nyxgeek/onedrive_user_enum |
TrustedSec - OneDrive to enum them all |
| SimuLand |
SimuLand is an open-source initiative by Microsoft to help security researchers around the world deploy lab environments that reproduce well-known techniques used in real attack scenarios, actively test and verify effectiveness of related Microsoft 365 Defender, Azure Defender and Microsoft Sentinel detections, and extend threat research using telemetry and forensic artifacts generated after each simulation exercise. |
Azure/SimuLand |
SimuLand: Understand adversary tradecraft and improve detection strategies - Microsoft Security Blog |
| Stormspotter |
Stormspotter creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work. |
Azure/Stormspotter |
 |
| SkyArk |
SkyArk currently focuses on mitigating the new threat of Cloud Shadow Admins, and helps organizations to discover, assess and protect cloud privileged entities. Stealthy and undercover cloud admins may reside in every public cloud platform and SkyArk helps mitigating the risk in AWS and Azure. |
cyberark/SkyArk |
 |
| TeamFiltration |
TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts. |
Flangvik/TeamFiltration |
 |
| TokenMan |
Token Man is a tool for supporting post-exploitation activities using AAD access and/or refresh tokens. |
secureworks/TokenMan |
 |
| TokenTactics |
Azure access tokens allow you to authenticate to certain endpoints as a user who signs in with a device code. Even if they used multi-factor authentication. Once you have a user’s access token, it may be possible to access certain apps such as Outlook, SharePoint, OneDrive, MSTeams and more. For instance, if you have a Graph or MSGraph token, you can then connect to Azure and dump users, groups, etc. You could then, depending on conditional access policies, switch to an Azure Core Management token and run AzureHound. Then, switch to an Outlook token and read/send emails or MS Teams and read/send teams messages! |
rvrsh3ll/TokenTactics |
 |
| TokenTactics v2 |
A fork of TokenTactics with support for CAE and token endpoint v2. Detailed output for Parse-JWTtoken to display related information for longer-lived (CAE-capable) tokens. |
f-bader/TokenTacticsV2 |
Continuous access evaluation - CloudBrothers.info |
| Vajra |
Vajra is a UI based tool with multiple techniques for attacking and enumerating in target’s Azure environment. Vajra presently supports Azure and AWS Cloud environments, with plans to add support for Google Cloud Platform and certain OSINT in the future. |
TROUBLE-1/Vajra |
 |