https://github.com/tbhaxor/cartx

Collection of powershell scripts I used to complete my CARTP and CARTE courses.
https://github.com/tbhaxor/cartx

azure-ad carte entraid powershell red-team

Last synced: 4 months ago
JSON representation

Collection of powershell scripts I used to complete my CARTP and CARTE courses.

• Host: GitHub
• URL: https://github.com/tbhaxor/cartx
• Owner: tbhaxor
• License: mit
• Created: 2025-04-21T15:34:24.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-08-20T07:50:45.000Z (10 months ago)
• Last Synced: 2025-08-20T09:31:35.225Z (10 months ago)
• Topics: azure-ad, carte, entraid, powershell, red-team
• Language: PowerShell
• Homepage:
• Size: 23.4 KB
• Stars: 42
• Watchers: 1
• Forks: 5
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# CARTX

**CARTX** is a collection of PowerShell scripts created during the **CARTP** and **CARTE** exams to streamline assessments and enhance results in Azure and Entra ID environments.

## Included Functions

- `Connect-AzRedLab`  

  Connect to Azure RedLabs and Microsoft Graph.

- `Get-AzResourcePermission`  

  Retrieve permissions on Azure resources, even without Reader role.

- `Get-MgRoleAssignment`  

  Get role assignments of identities in Entra ID, with directory scope expansion.

- `Invoke-AzClientCredentialsFlow`  

  Obtain access tokens for enterprise applications using client ID and secret or certificate. Supports JWT signing via Azure Key Vault.

- `Invoke-AzDeviceCodeLogin`  

  Initiate the device code login flow. Waits for authentication and returns tokens upon success.

- `Invoke-AzRefreshToken`  

  Refresh tokens using FOCI abuse techniques.

- `Invoke-EmailGenerator`  

  Generate email addresses using a domain or display name wordlist.

- `Invoke-AzAddAppCredentialEnumerate`  

  Enumerates Microsoft Entra applications for which a principal can potentially add or update credentials.

- `New-AzStorageAccountSAS`  

  Generate SAS URLs for Azure Storage accounts or containers.

- `Read-AccessTokenFromDescryptedTBRES`  

  Extract JWT tokens from decrypted TBRES files. Expired tokens are filtered out by default.

- `Test-AADUserLogin`  

  Perform password spraying against AAD user accounts. Includes throttling bypass using the `Start-Sleep` cmdlet.

## Compatibility

✅ **Tested on**: PowerShell 7 (Linux)  

⚠️ **Partial PowerShell 5 support**: Some scripts work on PowerShell 5, but the full set has not been tested. PRs to improve compatibility are welcome.

## Contact

- 🐦 Twitter: [@tbhaxor](https://twitter.com/tbhaxor)

- 💼 LinkedIn: [@tbhaxor](https://www.linkedin.com/in/tbhaxor)

- 📧 Email: [info@tbhaxor.com](mailto:info@tbhaxor.com)