A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.

Group Policy Eater is a PowerShell module that aims to gather information about Group Policies but also allows fixing issues that you may find in them.

Dominate Active Directory with PowerShell.

Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance.

PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.

Active Directory Auditing and Enumeration

PowerShell scripts for alternative SharpHound enumeration, including users, groups, computers, and certificates, using the ActiveDirectory module (ADWS) or System.DirectoryServices class (LDAP).

An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations.

LudusHound is a tool for red and blue teams that transforms BloodHound data into a fully functional, Active Directory replica environment via Ludus for controlled testing.

A companion tool that uses ADeleg to find insecure trustee and resource delegations in Active Directory

A lightweight PowerShell tool for assessing the security posture of Microsoft Entra ID environments. It helps identify privileged objects, risky assignments, and potential misconfigurations.

Privacy and security baseline for personal Windows 10 and Windows 11

PowerShell toolkit that extracts locked Windows files (SAM, SYSTEM, NTDS, ...) using MFT parsing and raw disk reads

A PowerShell script to perform PKINIT authentication with the Windows API from a non domain-joined machine.

Permanently disable EDRs as local admin

Gain insights into COM/DCOM implementations that may be vulnerable using an automated approach and make it easy to visualize the data. By following this approach, a security researcher will hopeful…

Audits an AppLocker policy XML and reports weak/misconfigured/risky settings, including actual ACL checks.

Simple PowerShell HTTP Server (no dependencies, single file, PowerShell 5.1/7)

Persist like a Dodder

PowerShell tool that shows how to read and write NTLM OWF values via samlib.dll.

This technique leverages PowerShell's .NET interop layer and COM automation to achieve stealthy command execution by abusing implicit type coercion

Windows Event Log Auditor

Decrypt SCCM and DPAPI secrets with Powershell.

Helps defenders find their WSUS configurations in the wake of CVE-2025-59287

Token impersonation in PowerShell to execute under the context of another user.