A simple, lightweight PowerShell script that allows you to remove pre-installed apps, disable telemetry, as well as perform various other changes to declutter and customize your Windows experience.…

Force Remove Copilot, Recall and More in Windows 11

game of active directory

Privilege Escalation Enumeration Script for Windows

Automation for internal Windows Penetrationtest / AD-Security

This publication is a collection of various common attack scenarios on Microsoft Entra ID (formerly known as Azure Active Directory) and how they can be mitigated or detected.

A post-exploitation powershell tool for extracting juicy info from memory.

A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.

SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be r…

A Post-exploitation Toolset for Interacting with the Microsoft Graph API

Microsoft signed ActiveDirectory PowerShell module

WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! ゑ羅（ウェラ）

Azure JWT Token Manipulation Toolset

ScriptSentry finds misconfigured and dangerous logon scripts.

Cover various security approaches to attack techniques and also provides new discoveries about security breaches.

Amnesiac is a post-exploitation framework entirely written in PowerShell and designed to assist with lateral movement within Active Directory environments

MAAD Attack Framework - An attack tool for simple, fast & effective security testing of M365 & Entra ID (Azure AD).

PowerShell scripts for alternative SharpHound enumeration, including users, groups, computers, and certificates, using the ActiveDirectory module (ADWS) or System.DirectoryServices class (LDAP).

Azure Post Exploitation Framework

PowerShell toolkit that extracts locked Windows files (SAM, SYSTEM, NTDS, ...) using MFT parsing and raw disk reads

Retrieve and display information about active user sessions on remote computers. No admin privileges required.

Interactive Shell and Command Execution over Named-Pipes (SMB) for Fileless lateral movement

PowerShell script to dump Microsoft Defender Config, protection history and Exploit Guard Protection History (no admin privileges required )

Two WinForms GUI tools for enumerating, searching, and exfiltrating data from M365 environments using application-level OAuth tokens

A pure PowerShell solution for Entra OAuth authentication, enabling easy retrieval of access and refresh tokens

Inboxfuscation is an advanced offensive & defensive framework for mailbox rule obfuscation and detection in Exchange environments.

Advanced In-Memory PowerShell Process Injection Framework

PowerShell tool that shows how to read and write NTLM OWF values via samlib.dll.

Tamper Active Directory user attributes to collect their hashes with MS-SNTP