Skip to content

GraphRunner.ps1

Jump to bottom
Beau Bullock edited this page Aug 30, 2023 · 39 revisions

GraphRunner.ps1

GraphRunner includes a PowerShell set of tools to assist with carrying out various attacks during post-exploitation of a Microsoft Azure tenant. Most of the modules rely on having authenticated access tokens. To assist with this there are multiple modules for obtaining and working with both user and application (service principal) tokens.

To get started, import GraphRunner into a new PowerShell session.

Import-Module .\GraphRunner.ps1

Getting Started

  • Get-GraphTokens -
  • Refresh-GraphTokens -
  • Get-AzureAppTokens -
  • Refresh-AzureAppTokens -
  • Check-MSGraphAccess -
  • Invoke-AutoOAuthFlow -

Recon & Enumeration Modules

  • Invoke-GraphRecon -
  • Invoke-DumpCAPS -
  • Invoke-DumpApps -
  • Get-AzureADUsers -
  • Get-SecurityGroups -
  • Invoke-GraphOpenInboxFinder -

Persistence Modules

  • Inject-OAuthApp -
  • Invoke-SecurityGroupCloner -
  • Invite-GuestUser -

Pillage Modules

  • Get-Inbox -
  • Invoke-SearchMailbox -
  • Invoke-UserAttributeSearch -

Clone this wiki locally