2025 Red Team Tools – Cloud & Identity Exploitation, Evasion & Developer Libraries

In our Red Team Tools Part 1 roundup, we highlighted tools commonly used for C2 (like Sliver), Active Directory, and network exploitation, but more importantly, we underscored how skilled operators wield those tools with precision, creativity, and intent.

This time, we’re turning our focus to cloud environments, identity exploitation, evasion techniques, and a few developer libraries we take advantage of when the path forward isn’t so obvious. These are less about flashy features and more about adaptability…knowing when and how to use the right technique to stay quiet, stay persistent, and achieve your objective.

Because Red Teaming isn’t just about getting in, it’s about thinking like an adversary, operating with finesse, and making every move count.

Cloud & Identity Exploitation:

17.  AzureHound

Creator: SpecterOps (@SpecterOps)

“An Azure Data Exporter for BloodHound.”

DESCRIPTION: AzureHound extends BloodHound’s capabilities to Azure AD, mapping out complex roles, group memberships, and privilege escalation paths. It’s a great tool for visualizing and exploiting cloud identity relationships using the Graph API.

18.  ROADtools

Creator: Dirk-jan Mollema (@dirkjanm)

“A collection of Azure AD/Entra tools for offensive and defensive security purposes.”

DESCRIPTION: ROADtools makes it easy to enumerate and explore Azure AD tenants with a modular, scriptable approach, and a handy web UI for visualization. It’s especially useful when you’ve got a token and want to dig deeper without bulky cloud tools.  

19.  AADInternals

Creator: Nestori Syynimaa (@NestoriSyynimaa) 

DESCRIPTION: AADInternals gives Red Teamers deep access to Azure AD internals, from token manipulation to federation backdoors, making it ideal for advanced cloud attack simulation. It’s a powerful tool for testing persistence and privilege in Microsoft 365 environments.  

20.  GraphRunner

Creator: Beau Bullock (@dafthack)

“A post-exploitation toolset for interacting with the Microsoft Graph API.”

DESCRIPTION: GraphRunner makes querying the Graph API from PowerShell fast and painless, enabling you to easily map Azure AD or dig into roles and permissions, even with limited access.  

21.  TREVORspray

Creator: Black Lantern Security (@blacklanternsecurity)

“A modular password sprayer with threading, clever proxying, loot modules, and more.”

DESCRIPTION: It’s not just another spray-and-pray tool. TREVORspray is designed for stealth, with features like randomized user agents and throttling to avoid detection. If you're testing real-world credential hygiene without tripping alarms, this one earns its keep.  

22.  MFASweep

Creator: Beau Bullock (@dafthack)

“A tool for checking if MFA is enabled on multiple Microsoft Services.”

DESCRIPTION: MFASweep is a quick and quiet way to assess which accounts are soft targets in a cloud environment. Knowing who doesn’t have MFA is pure gold when planning password spray attacks or credential stuffing. 

23.  SeamlessPass

Creator: Malcrove (@malcrove)

“A tool leveraging Kerberos tickets to get Microsoft 365 access tokens using Seamless SSO.” 

DESCRIPTION: This tool targets a newer and often-overlooked attack surface, Windows Hello for Business, making it both timely and sneaky. By leveraging device-bound certificates, SeamlessPass offers a stealthy persistence mechanism that can fly under the radar of many traditional defenses.  

24.  MicroBurst

Creator: Karl Fosaaen (@kfosaaen) of NetSPI (@NetSPI)

“A collection of scripts for assessing Microsoft Azure security.”

DESCRIPTION: Azure can be a goldmine when misconfigured, and Microburst helps you find and dig into those weak spots quickly. From enumerating roles and permissions to dumping credentials or abusing automation accounts, it’s a solid cloud recon and post-exploitation toolkit.  

Evasion & Developer Libraries:

25.  Minikerberos 

Creator: SkelSec (@skelsec)

“A Kerberos manipulation library in pure Python.”

DESCRIPTION: Minikerberos gives Red Teamers fine control over Kerberos, like ticket requests, forgeries, and attacks like AS-REP roasting, all from userland, with no native calls. Its Python base makes it easy to read, tweak, and bolt onto your own tools, especially in stealthy or constrained environments.

26. Windows-rs

Creator: Microsoft (@Microsoft)

“Rust for Windows.”

DESCRIPTION: Windows-rs is a Rust crate that bridges the power of low-level Windows internals with Rust’s safety and performance, making it great for building stealthy tooling or low-noise implants. If you’re crafting custom Windows tools and care about stability and speed, windows-rs is a strong foundation.

27.  Scapy

Creator: SecDev (@SecDev)

“A powerful interactive packet manipulation library written in Python.”

DESCRIPTION: Scapy gives Red Teamers deep control over packets for fuzzing, spoofing, and recon, all through simple, scriptable workflows. It’s a go-to tool when you need custom traffic without reaching for external utilities.

28.  Pwntools (@pwntools) 

Creator: GallopSled (@gallopsled)

“A Python-based CTF framework and exploit development library.”

DESCRIPTION: Pwntools feels like cheating, but in the best way possible. It’s like a Swiss Army knife for exploit developers, built in Python and packed with utilities for crafting payloads, interacting with processes, and automating pwn challenges. It makes the workflow fast, clean, and even a little fun.

29.  Volatility

Creator: Volatility Foundation (@volatilityfoundation)

“An advanced memory forensics framework.”

DESCRIPTION: Volatility is your go-to neurosurgeon for digging into memory – revealing hidden processes, injected code, and stealthy persistence with ease. Its rich plugin ecosystem and cross-platform support make it invaluable for deep forensic analysis and threat hunting.

30.  Frida

Creator: Frida (@frida)

“A dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.”

DESCRIPTION: Frida lets you inject your own code into running apps, giving you dynamic insight and control without needing source access. It’s a go-to for Red Teamers poking at mobile apps, binaries, and anything else that needs a bit of runtime mischief.

31.  Evilginx (@evilgynx2)

Creator: Kuba Gretzky (@kgretzky)

“A Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication.” 

DESCRIPTION: Unlike traditional phishing pages, Evilginx doesn’t just steal usernames and passwords, it grabs session tokens, effectively bypassing two-factor authentication (2FA) and letting Red Teamers log in without triggering alerts. Its modular design and realistic phishing pages help simulate high-impact attacks in a way that’s hard to detect.

32.  CursedChrome

Creator: Matthew Bryant (@mandatoryprogrammer)

“A Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies, allowing you to browse sites as your victims.”

DESCRIPTION: CursedChrome lets Red Teamers hijack browser sessions in real time, making it a powerful tool for post-exploitation and internal pivoting. It’s stealthy, easy to manage, and perfect for demonstrating the real-world impact of compromised endpoints.

There’s a whole ecosystem out there to dig into, but we hope these picks give you a solid head start and a slight edge on your next engagement.

What makes Bishop Fox's approach different? It's not just about running tools against targets, it's about our Red Team combining technical prowess with strategic thinking to deliver insights that truly matter to your security posture. If you want to see how we achieve success, check out our Red Team methodology.