-
Notifications
You must be signed in to change notification settings - Fork 165
GraphRunner.ps1
Beau Bullock edited this page Sep 1, 2023
·
39 revisions
GraphRunner includes a PowerShell set of tools to assist with carrying out various attacks during post-exploitation of a Microsoft Azure tenant. Most of the modules rely on having authenticated access tokens. To assist with this there are multiple modules for obtaining and working with both user and application (service principal) tokens.
To get started, import GraphRunner into a new PowerShell session.
Import-Module .\GraphRunner.ps1- Get-GraphTokens - Authenticate as a user to Microsoft Graph
- Refresh-GraphTokens - Use a refresh token to obtain new access tokens
- Get-AzureAppTokens - Complete OAuth flow as an app to obtain access tokens
- Refresh-AzureAppTokens - Use a refresh token and app credentials to refresh a token
- Invoke-AutoOAuthFlow - Automates OAuth flow by standing up a web server and listening for auth code
- Check-MSGraphAccess - Check if tokens are valid
- Invoke-GraphRecon - Performs general recon for org info, user settings, directory sync settings, etc
- Invoke-DumpCAPS - Gets conditional access policies
- Invoke-DumpApps - Gets app registrations and external enterprise apps along with consent and scope info
- Get-AzureADUsers - Gets user directory
- Get-SecurityGroups - Gets security groups and members
- Invoke-GraphOpenInboxFinder - Checks each user’s inbox in a list to see if they are readable
- Inject-OAuthApp - Injects an app registration into the tenant
- Invoke-SecurityGroupCloner - Clones a security group while using an identical name and member list but can inject another user as well
- Invite-GuestUser - Invites a guest user to the tenant
- Get-Inbox - Gets inbox items
- Invoke-SearchMailbox - Has the ability to do deep searches across a user’s mailbox and can export messages
- Invoke-SearchSharePointAndOneDrive - Search across all SharePoint sites and OneDrive drives visible to the user
- Invoke-SearchUserAttributes - Search for terms across all user attributes in a directory