GraphRunner: A Post-Exploitation Toolset for Microsoft 365
We built a post-compromise toolset called GraphRunner for interacting with the Microsoft Graph API. It provides various tools for performing reconnaissance, persistence, and pillaging of data from a Microsoft Entra ID (Azure AD) account. Below are some of the main features. At the end of the blog post, make sure to take a peek at the potential attack path scenarios we have laid out. There are a few in there we think may be quite interesting to both offensive and defensive security team members.
Main Features:
Search and export email
Search and export SharePoint and OneDrive files accessible to a user
Search all Teams chats and channels visible to the user and export full conversations
Deploy malicious apps
Discover misconfigured mailboxes that are exposed
Clone security groups to carry out watering hole attacks
Find groups that can be modified directly by your user or where membership rules can be abused to gain access
Search all user attributes for specific terms
Leverage a GUI built on the Graph API to pillage a user’s account
Dump conditional access policies
Dump app registrations and external apps including consent and scope to identify potentially malicious apps
Tools to complete OAuth flow during consent grant attacks
Continuously refresh your token package
GraphRunner doesn’t rely on any third-party libraries or modules
Works with Windows and Linux
You can find GraphRunner here: https://github.com/dafthack/GraphRunner/
There are three main pieces to GraphRunner:
GraphRunner.ps1 – A PowerShell script containing a number of modules for post-compromise recon, persistence, and pillaging of an account.
GraphRunnerGUI.html – An HTML graphic user interface to be used with an access token. Provides various modules around enumeration and pillaging data from services such as Outlook, SharePoint, OneDrive, and Teams.
PHPRedirector -A basic PHP script that can be used to capture OAuth authorization codes during an OAuth consent flow and a Python script to automatically complete the flow to obtain access tokens.
GraphRunner PowerShell
GraphRunner includes a PowerShell set of tools to assist with carrying out various attacks during post-exploitation of a Microsoft Entra ID (Azure AD) tenant. Most of the modules rely on having authenticated access tokens. To assist with this, there are multiple modules for obtaining and working with both user and application (service principal) tokens. The majority of modules don’t require a privileged account.
To get started, import GraphRunner into a new PowerShell session.
Import-Module .\GraphRunner.ps1
Here’s a high-level summary of each module included in the PowerShell script:
Authentication
Get-GraphTokens – Authenticate as a user to Microsoft Graph
Invoke-RefreshGraphTokens – Use a refresh token to obtain new access tokens
Get-AzureAppTokens – Complete OAuth flow as an app to obtain access tokens
Invoke-RefreshAzureAppTokens – Use a refresh token and app credentials to refresh a token
Invoke-AutoTokenRefresh – Refresh tokens at an interval
Recon & Enumeration Modules
Invoke-GraphRecon – Performs general recon for org info, user settings, directory sync settings, etc.
Invoke-DumpCAPS – Gets conditional access policies
Invoke-DumpApps – Gets app registrations and external enterprise apps, along with consent and scope info
Get-AzureADUsers – Gets user directory
Get-SecurityGroups – Gets security groups and members
Get-UpdatableGroups – Gets groups that may be able to be modified by the current user
Get-DynamicGroups – Finds dynamic groups and displays membership rules
Get-SharePointSiteURLs – Gets a list of SharePoint site URLs visible to the current user
Invoke-GraphOpenInboxFinder – Checks each user’s inbox in a list to see if they are readable
Get-TenantID – Retrieves the tenant GUID from the domain name
Persistence Modules
Invoke-InjectOAuthApp – Injects an app registration into the tenant
Invoke-SecurityGroupCloner – Clones a security group while using an identical name and member list but can inject another user as well
Invoke-InviteGuest – Invites a guest user to the tenant
Invoke-AddGroupMember – Adds a member to a group
Pillage Modules
Invoke-SearchSharePointAndOneDrive – Search across all SharePoint sites and OneDrive drives visible to the user
Invoke-ImmersiveFileReader – Open restricted files with the immersive reader
Invoke-SearchMailbox – Has the ability to do deep searches across a user’s mailbox and can export messages
Invoke-SearchTeams – Can search all Teams messages in all channels that are readable by the current user
Invoke-SearchUserAttributes – Search for terms across all user attributes in a directory
Get-Inbox – Gets the latest inbox items from a mailbox and can be used to read other user mailboxes (shared)
Get-TeamsChat – Downloads full Teams chat conversations
Invoke-GraphRunner Module
Invoke-GraphRunner – Runs Invoke-GraphRecon, Get-AzureADUsers, Get-SecurityGroups, Invoke-DumpCAPS, Invoke-DumpApps, and then uses the default_detectors.json file to search with Invoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, and Invoke-SearchTeams.
Supplemental Modules
Invoke-AutoOAuthFlow – Automates the OAuth flow completion to obtain access and refresh keys when a user grants consent to an app registration
Invoke-DeleteOAuthApp – Delete an OAuth App
Invoke-DeleteGroup – Delete a group
Invoke-RemoveGroupMember – Module for removing users/members from groups
Invoke-DriveFileDownload – Has the ability to download single files from SharePoint and OneDrive as the current user
Invoke-CheckAccess – Check if tokens are valid
Invoke-HTTPServer – A basic web server to use for accessing the emailviewer that is output from Invoke-SearchMailbox
Invoke-BruteClientIDAccess – Test different client_id’s against MSGraph to determine permissions
Invoke-ImportTokens – Import tokens from other tools for use in GraphRunner
Get-UserObjectID – Retrieves an Object ID for a user
REFERENCES
Last updated
Was this helpful?