SharePointDumper is a PowerShell utility that extracts and audits SharePoint sites using Microsoft Graph. It requires an OAuth2 access token and provides detailed reports of accessed sites and downloaded files, making it useful for security assessments.

KustoHawk is a PowerShell script designed for incident triage and response within Microsoft Defender XDR and Sentinel environments. It collects indicators of compromise and runs queries against the Graph API to provide detailed activity reports for devices or accounts. Users can adjust the timeframe of data collection and export results for further analysis.

NEBULA is a PowerShell tool designed for testing Windows execution and persistence methods, including LOLBAS techniques. It provides a menu-driven interface for security researchers and teams to execute tests and log results. Example payloads sourced from Atomic Red Team are included for safe experimentation.

Win11Debloat is a PowerShell script designed to simplify the process of removing unwanted pre-installed apps and modifying various Windows settings. It offers options for both casual users and system administrators to customize their Windows experience easily. The script allows for quick changes while ensuring that most modifications can be reverted later.

TrollRPC is a library designed to blind RPC calls based on UUID and OPNUM, primarily for bypassing security mechanisms like AMSI by modifying specific RPC calls. Recent updates include methods to block file access by antivirus software and specific instructions for Windows 10 and Windows 11 users. The tool is intended for educational purposes, emphasizing the need for creativity in bypassing security features.

Monkey365 is an open-source PowerShell module designed to facilitate security configuration reviews for Microsoft 365, Azure subscriptions, and Microsoft Entra ID. It helps identify security gaps and misconfigurations while providing recommendations based on industry best practices and compliance standards. The tool supports over 160 checks and generates reports aligned with the CIS benchmarks for enhanced security assessment.

A Python utility allows users to create zip files that contain hidden data, which can be extracted using a Windows shortcut file. The script embeds the smuggled data within the zip structure without being indexed, making it invisible during normal examination. Extraction is accomplished through a PowerShell command that retrieves the hidden content and saves it as a text file.

A cybersecurity researcher has introduced FileFix, a new variant of the ClickFix social engineering attack, which exploits the Windows File Explorer address bar to execute malicious PowerShell commands. This method tricks users into pasting commands by disguising them within what appears to be a legitimate file-sharing notification, making it a more user-friendly approach for attackers. FileFix highlights the adaptability of phishing techniques, as it presents a familiar interface to users while executing harmful commands.

MSSQLHound is a PowerShell collector designed to integrate Microsoft SQL Server attack paths into BloodHound using OpenGraph. It facilitates the collection of data from MSSQL servers, generating temporary files that can be zipped and uploaded to BloodHound, while also offering various command line options to customize the data collection process. Key features include limitations, future development prospects, and a comprehensive reference for MSSQL nodes and edges.

A PowerShell tool for managing and auditing Role-Based Access Control (RBAC) in Microsoft Intune offers detailed insights into RBAC configurations, including role assignments and permissions. It features an interactive HTML report with security analysis, a permissions matrix, and a new security review dashboard to assess risk levels and security posture. Utility scripts facilitate specific RBAC management tasks such as exporting roles and assigning scope tags.

Devious-WinRM is a PowerShell client designed to simplify Kerberos authentication by allowing users to execute .NET binaries in memory, bypassing antivirus detection. It addresses limitations of WinRM by using RunasCs for command execution and provides extensive documentation for installation and usage. The project draws inspiration from tools like Evil-WinRM and pypsrp.

This article discusses the implementation of an MCP Server to facilitate communication with a Command and Control (C2) system using a Python server that creates endpoints for managing tasks. It also highlights the use of a PowerShell client for communication back to the C2 Server and details the necessary configuration for Claude to make requests to the C2.

The article discusses a method for escalating privileges in a cloud-native environment by manipulating an administrator's PowerShell profile after gaining OneDrive permissions. The process involves uploading a backdoor script to the admin's OneDrive, which executes when they launch PowerShell, allowing attackers to harvest sensitive tokens and potentially gain further access to the system.

Azure AppHunter is an open-source PowerShell tool designed for security professionals to analyze and identify excessive or risky permissions assigned to Azure Service Principals. It enables users to enumerate dangerous Microsoft Graph permissions, detect privileged role assignments, and uncover potential escalation paths in Azure environments with minimal dependencies. The tool supports integration into automation and red teaming workflows, making it valuable for cloud security assessments.

EntraFalcon is a PowerShell tool designed for security assessments of Microsoft Entra ID environments, suitable for pentesters and system administrators. It helps identify misconfigurations and risks related to privileged accounts and access policies, generating interactive HTML reports for analysis. The tool operates without external dependencies, supports multiple authentication methods, and is compatible with both Windows and Linux systems.

b3acon is a command-and-control (C2) tool that utilizes an in-memory C# IMAP client via PowerShell, allowing operators to send commands and receive execution results through email. It supports dynamic command execution with various script outputs and includes a web generator for creating scripts in multiple formats. Designed for educational purposes, it emphasizes responsible usage and requires explicit permission for deployment.

A recent incident involving the LUMMA infostealer malware highlighted a new attack method where users were directed to a fake CAPTCHA page, leading to the execution of PowerShell commands that targeted sensitive browser data from Microsoft Edge and Google Chrome. The NCC Group's DFIR team documented the timeline of events, including initial access methods and various tactics employed by the malware to steal credentials.

BlackCat is a PowerShell module aimed at validating the security of Microsoft Azure environments by identifying potential security risks and ensuring compliance with best practices. It requires PowerShell 7.0 or higher and the Az.Accounts module, and is set to be published on the PowerShell Gallery after completion. Users can also contribute to the project by providing feedback or making code contributions through GitHub.

ADeleginator is a tool designed to identify insecure trustee and resource delegations in Active Directory, serving as a wrapper around the existing tool ADeleg. Users can set it up by downloading the necessary components and running a PowerShell script to execute the tool. The project is credited to Spencer Alessi and acknowledges the contributions of @mtth-bfft.

The blog explores the use of various APIs, specifically the Graph API, Azure Monitor API, and Defender ATP API, for enhancing security operations and automating threat detection. It provides insights into the available data, permissions required, limitations, and includes ready-to-use PowerShell scripts for executing KQL queries across these APIs. A focus is placed on best practices for querying and the advantages of using the Graph API for comprehensive data access.

A PowerShell-based GUI tool enables efficient management and offboarding of devices from Microsoft Intune, Autopilot, and Entra ID. It features bulk operations, secure authentication methods, and a real-time dashboard for monitoring device statistics and distribution. The tool requires PowerShell 7 and Microsoft Graph API permissions for full functionality.