| AADInternals |
AADInternals is PowerShell module for administering Azure AD and Office 365 |
Gerenios/AADInternals: AADInternals |
AAD Internals (aadinternals.com) |
| Azure AD Incident Response PowerShell Module |
The Azure Active Directory Incident Response PowerShell module provides a number of tools, developed by the Azure Active Directory Product Group in conjunction with the Microsoft Detection and Response Team (DART), to assist in compromise response. |
AzureAD/Azure-AD-Incident-Response-PowerShell-Module |
 |
| Azure AD Security Config Analyzer (AADSCA) |
Logic App solution to ingest configuration data of Azure AD to Log Analytics for monitoring and strengthen identity security posture. |
Cloud-Architekt/AzureAD-Attack-Defense |
 |
| azbelt |
Standalone DLL and sliver extension for enumerating Azure related credentials, primarily on AAD joined machines |
daddycocoaman/azbelt |
 |
| AzureHound |
The BloodHound data collector for Microsoft Azure |
BloodHoundAD/AzureHound |
Automating Things 0x01 – AzureHound for blue teams |
| AzTokenFinder |
Is a small tool to extract JWT (or JWT like looking data) from different processes, like PowerShell, Excel, Word or others. |
HackmichNet/AzTokenFinder |
 |
| AzureRT |
Helpful utilities dealing with access token based authentication, switching from Az to AzureAD  and az cli interfaces, easy to use pre-made attacks such as Runbook-based command execution and more. |
mgeeky/AzureRT: AzureRT |
 |
| BadZure |
BadZure is a PowerShell script that leverages the Microsoft Graph SDK to orchestrate the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths. |
mvelazc0/BadZure |
 |
| Bloodhound |
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment. |
BloodHoundAD/BloodHound |
BloodHound: Six Degrees of Domain Admin |
| BloodHound Attack Research Kit /BARK) |
BARK stands for BloodHound Attack Research Kit. It is a PowerShell script built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. BARK currently focuses on Microsoft’s Azure suite of products and services. |
BloodHoundAD/BARK: BloodHound |
 |
| CrowdStrike Reporting Tool for Azure (CRT) |
This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments. |
CrowdStrike/CRT/CRT |
 |
| Forest Druid |
Free Tier 0 attack path discovery tool for Active Directory environments by Semperis |
Forest Druid |
Closing Attack Paths to Tier 0 Assets with Forest Druid |
| GraphRunner |
Post-exploitation toolset for interacting with the Microsoft Graph API. It provides various tools for performing reconnaissance, persistence, and pillaging of data from a Microsoft Entra ID (Azure AD) account. |
dafthack/GraphRunner |
Introducing GraphRunner: A Post-Exploitation Toolset for Microsoft 365 |
| MAAD Attack Framework |
MAAD-AF is an open-source cloud attack tool developed for testing security of Microsoft 365 & Azure AD environments through adversary emulation. MAAD-AF provides security practitioners easy to use attack modules to exploit configurations across different M365/AzureAD cloud-based tools & services. |
vectra-ai-research/MAAD-AF |
 |
| Mandiant Azure AD Investigator |
This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. Some indicators are “high-fidelity” indicators of compromise, while other artifacts are so called “dual-use” artifacts. Dual-use artifacts may be related to threat actor activity, but also may be related to legitimate functionality. |
mandiant/Mandiant-Azure-AD-Investigator |
 |
| MicroBurst |
MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping. It is intended to be used during penetration tests where Azure is in use. |
NetSPI/MicroBurst |
Various blog posts on: https://www.netspi.com/blog/ |
| Monkey365 |
Monkey365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex admin panels from the start. To help with this effort, Monkey365 also provides several ways to identify security gaps in the desired tenant setup and configuration. Monkey365 provides valuable recommendations on how to best configure those settings to get the most out of your Microsoft 365 tenant or Azure subscription. |
silverhack/monkey365 |
 |
| ROADtools |
ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool. |
dirkjanm/ROADtools |
Introducing ROADtools - The Azure AD exploration framework - dirkjanm.io |
| PurpleKnight |
Semperis built Purple Knight—a free AD and Azure AD security assessment tool—to help you discover indicators of exposure (IoEs) and indicators of compromise (IoCs) in your hybrid AD environment. |
PurpleKnight Community |
Purple Knight Introduces Azure AD Security Indicators |
| RedCloud OS |
RedCloud OS is a Debian based Cloud Adversary Simulation Operating System for Red Teams to assess the security of leading Cloud Service Providers (CSPs). It includes tools optimized for adversary simulation tasks within AWS, Azure and GCP. |
RedTeamOperations/RedCloud-OS |
 |
| onedrive_user_enum |
Python script to enumerate valid OneDrive users |
nyxgeek/onedrive_user_enum |
TrustedSec - OneDrive to enum them all |
| SimuLand |
SimuLand is an open-source initiative by Microsoft to help security researchers around the world deploy lab environments that reproduce well-known techniques used in real attack scenarios, actively test and verify effectiveness of related Microsoft 365 Defender, Azure Defender and Microsoft Sentinel detections, and extend threat research using telemetry and forensic artifacts generated after each simulation exercise. |
Azure/SimuLand |
SimuLand: Understand adversary tradecraft and improve detection strategies - Microsoft Security Blog |
| Stormspotter |
Stormspotter creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work. |
Azure/Stormspotter |
 |
| SkyArk |
SkyArk currently focuses on mitigating the new threat of Cloud Shadow Admins, and helps organizations to discover, assess and protect cloud privileged entities. Stealthy and undercover cloud admins may reside in every public cloud platform and SkyArk helps mitigating the risk in AWS and Azure. |
cyberark/SkyArk |
 |
| TeamFiltration |
TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts. |
Flangvik/TeamFiltration |
 |
| TokenMan |
Token Man is a tool for supporting post-exploitation activities using AAD access and/or refresh tokens. |
secureworks/TokenMan |
 |
| TokenTactics |
Azure access tokens allow you to authenticate to certain endpoints as a user who signs in with a device code. Even if they used multi-factor authentication. Once you have a user’s access token, it may be possible to access certain apps such as Outlook, SharePoint, OneDrive, MSTeams and more. For instance, if you have a Graph or MSGraph token, you can then connect to Azure and dump users, groups, etc. You could then, depending on conditional access policies, switch to an Azure Core Management token and run AzureHound. Then, switch to an Outlook token and read/send emails or MS Teams and read/send teams messages! |
rvrsh3ll/TokenTactics |
 |
| TokenTactics v2 |
A fork of TokenTactics with support for CAE and token endpoint v2. Detailed output for Parse-JWTtoken to display related information for longer-lived (CAE-capable) tokens. |
f-bader/TokenTacticsV2 |
Continuous access evaluation - CloudBrothers.info |
| Vajra |
Vajra is a UI based tool with multiple techniques for attacking and enumerating in target’s Azure environment. Vajra presently supports Azure and AWS Cloud environments, with plans to add support for Google Cloud Platform and certain OSINT in the future. |
TROUBLE-1/Vajra |
 |