Msticpy – Microsoft Threat Intelligence Security Tools

Microsoft Threat Intelligence Python Security Tools. msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes functionality to: query log data from multiple sources enrich the data with Threat Intelligence, geolocations and Azure resource data extract Indicators of Activity (IoA) from logs and unpack encoded data perform sophisticated analysis such asRead More

Kekeo – A Little Toolbox To Play With Microsoft Kerberos In C

kekeo is a little toolbox I have started to manipulate Microsoft Kerberos in C (and for fun) ASN.1 library In kekeo, I use an external commercial library to deal with Kerberos ASN.1 structures: OSS ASN.1/C ( It was the only code generator/library that I’ve found to work easily with Microsoft C project. works without aRead More

CVE-2021-40444 PoC – Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution)

Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution) Creation of this Script is based on some reverse engineering over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file) You need to install lcab first (sudo apt-get install lcab) Check for manual reproduce steps If your generated cab is not working, try pointingRead More

TREVORspray – A Featureful Round-Robin SOCKS Proxy And Python O365 Sprayer Based On MSOLSpray Which Uses The Microsoft Graph API

TREVORproxy is a SOCKS proxy that round-robins requests through SSH hosts. TREVORspray is a A featureful Python O365 sprayer based on MSOLSpray which uses the Microsoft Graph API By @thetechr0mancer Microsoft is getting better and better about blocking password spraying attacks against O365. TREVORspray can solve this by proxying its requests through an unlimited numberRead More

TeamsUserEnum – User Enumeration With Microsoft Teams API

Sometimes user enumeration could be sometimes useful during the reconnaissance of an assessment. This tool will determine if an email is registered on teams or not. More details on the immunIT’s blog Usage Microsoft Teams with the search features. This tool validates an email address or a list of email addresses. If these emails existRead More

DefenderCheck – Identifies The Bytes That Microsoft Defender Flags On

Quick tool to help make evasion work a little bit easier. Takes a binary as input and splits it until it pinpoints that exact byte that Microsoft Defender will flag on, and then prints those offending bytes to the screen. This can be helpful when trying to identify the specific bad pieces of code inRead More

ProxyLogon – PoC Exploit for Microsoft Exchange

PoC Exploit for Microsoft Exchange Launche Original PoC: How to use: python <name or IP of server> <[email protected]> Example: python primary [email protected] If successful you will be dropped into a webshell. exit or quit to escape from the webshell (or ctrl+c) By default, it will create a file test.aspx. This can beRead More

PE-Packer – A Simple Windows X86 PE File Packer Written In C And Microsoft Assembly

PE-Packer is a simple packer for Windows PE files. The new PE file after packing can obstruct the process of reverse engineering. It will do the following things when packing a PE file: Transforming the original import table. Encrypting sections. Clearing section names. Installing the shell-entry. When running a packed PE file, the shell-entry willRead More

COM-Code-Helper – Two IDAPython Scripts Help You To Reconstruct Microsoft COM (Component Object Model) Code

Two IDAPython Scripts help you to reconstruct Microsoft COM (Component Object Model) Code Especially malware reversers will find this useful, as COM Code is still regularly found in malware. This IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Make sure to copy interfaces.txtRead More