Skip to content

Modular cross-platform Microsoft Graph API (Entra, o365, and Intune) enumeration and exploitation toolkit

Notifications You must be signed in to change notification settings

mlcsec/Graphpython

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Graphpython

Graphpython is a modular Python tool for cross-platform Microsoft Graph API enumeration and exploitation. It builds upon the capabilities of AADInternals (Killchain.ps1), GraphRunner, and TokenTactics(V2) to provide a comprehensive solution for interacting with the Microsoft Graph API for red team and cloud assumed breach operations.

Graphpython covers external reconnaissance, authentication/token manipulation, enumeration, and post-exploitation of various Microsoft services, including Entra ID (Azure AD), Office 365 (Outlook, SharePoint, OneDrive, Teams), and Intune (Endpoint Management).

Index

Installation

Graphpython is designed to be cross-platform, ensuring compatibility with both Windows and Linux based operating systems:

git clone https://github.com/mlcsec/Graphpython.git
cd Graphpython
pip install .
Graphpython -h
# or
python3 Graphpython.py -h

Usage

Please refer to the Wiki for more details

Commands

Please refer to the Wiki for more details on the available commands

Outsider

  • Invoke-ReconAsOutsider
  • Invoke-UserEnumerationAsOutsider

Authentication

  • Get-GraphTokens
  • Get-TenantID
  • Get-TokenScope
  • Decode-AccessToken
  • Invoke-RefreshToMSGraphToken
  • Invoke-RefreshToAzureManagementToken
  • Invoke-RefreshToVaultToken
  • Invoke-RefreshToMSTeamsToken
  • Invoke-RefreshToOfficeAppsToken
  • Invoke-RefreshToOfficeManagementToken
  • Invoke-RefreshToOutlookToken
  • Invoke-RefreshToSubstrateToken
  • Invoke-RefreshToYammerToken
  • Invoke-RefreshToIntuneEnrollmentToken
  • Invoke-RefreshToOneDriveToken
  • Invoke-RefreshToSharePointToken
  • Invoke-CertToAccessToken
  • Invoke-ESTSCookieToAccessToken
  • Invoke-AppSecretToAccessToken
  • New-SignedJWT

Post-Auth Enumeration

  • Get-CurrentUser
  • Get-CurrentUserActivity
  • Get-OrgInfo
  • Get-Domains
  • Get-User
  • Get-UserProperties
  • Get-UserGroupMembership
  • Get-UserTransitiveGroupMembership
  • Get-Group
  • Get-GroupMember
  • Get-AppRoleAssignments
  • Get-ConditionalAccessPolicy
  • Get-Application
  • Get-AppServicePrincipal
  • Get-ServicePrincipal
  • Get-ServicePrincipalAppRoleAssignments
  • Get-PersonalContacts
  • Get-CrossTenantAccessPolicy
  • Get-PartnerCrossTenantAccessPolicy
  • Get-UserChatMessages
  • Get-AdministrativeUnitMember
  • Get-OneDriveFiles
  • Get-UserPermissionGrants
  • Get-oauth2PermissionGrants
  • Get-Messages
  • Get-TemporaryAccessPassword
  • Get-Password
  • List-AuthMethods
  • List-DirectoryRoles
  • List-Notebooks
  • List-ConditionalAccessPolicies
  • List-ConditionalAuthenticationContexts
  • List-ConditionalNamedLocations
  • List-SharePointRoot
  • List-SharePointSites
  • List-SharePointURLs
  • List-ExternalConnections
  • List-Applications
  • List-ServicePrincipals
  • List-Tenants
  • List-JoinedTeams
  • List-Chats
  • List-ChatMessages
  • List-Devices
  • List-AdministrativeUnits
  • List-OneDrives
  • List-RecentOneDriveFiles
  • List-SharedOneDriveFiles
  • List-OneDriveURLs

Post-Auth Exploitation

  • Invoke-CustomQuery
  • Invoke-Search
  • Find-PrivilegedRoleUsers
  • Find-PrivilegedApplications
  • Find-UpdatableGroups
  • Find-SecurityGroups
  • Find-DynamicGroups
  • Update-UserPassword
  • Update-UserProperties
  • Add-UserTAP
  • Add-GroupMember
  • Add-ApplicationPassword
  • Add-ApplicationCertificate
  • Add-ApplicationPermission
  • Grant-AppAdminConsent
  • Create-Application
  • Create-NewUser
  • Invite-GuestUser
  • Assign-PrivilegedRole
  • Open-OWAMailboxInBrowser
  • Dump-OWAMailbox
  • Spoof-OWAEmailMessage

Post-Auth Intune Enumeration

  • Get-ManagedDevices
  • Get-UserDevices
  • Get-CAPs
  • Get-DeviceCategories
  • Get-DeviceComplianceSummary
  • Get-DeviceConfigurations
  • Get-DeviceConfigurationPolicySettings
  • Get-DeviceEnrollmentConfigurations
  • Get-DeviceGroupPolicyConfigurations
  • Get-DeviceGroupPolicyDefinition
  • Get-RoleDefinitions
  • Get-RoleAssignments
  • Get-DeviceCompliancePolicies
  • Get-DeviceConfigurationPolicies

Post-Auth Intune Exploitation

  • Dump-DeviceManagementScripts
  • Dump-WindowsApps
  • Dump-iOSApps
  • Dump-macOSApps
  • Dump-AndroidApps
  • Get-ScriptContent
  • Backdoor-Script
  • Deploy-MaliciousScript
  • Deploy-MaliciousWebLink
  • Display-AVPolicyRules
  • Display-ASRPolicyRules
  • Display-DiskEncryptionPolicyRules
  • Display-FirewallConfigPolicyRules
  • Display-FirewallRulePolicyRules
  • Display-EDRPolicyRules
  • Display-LAPSAccountProtectionPolicyRules
  • Display-UserGroupAccountProtectionPolicyRules
  • Add-ExclusionGroupToPolicy
  • Reboot-Device
  • Lock-Device
  • Shutdown-Device
  • Update-DeviceConfig

Cleanup

  • Delete-User
  • Delete-Group
  • Remove-GroupMember
  • Delete-Application
  • Delete-Device
  • Wipe-Device
  • Retire-Device

Locators

  • Locate-ObjectID
  • Locate-PermissionID
  • Locate-DirectoryRole

Demos

Please refer to the Wiki for the following demos


Acknowledgements and References


Todo

  • Update:
    • Add nextlink for get-user and get-group
    • Get-UserPrivileges - update to flag any privileged directory role app ids green
    • Locate-DirectoryRoleID - similar to other locator functions but for resolving directory role ids
    • Deploy-MaliciousWebLink - add option to deploy script which copies new windows web app link to all user desktops
  • New:
    • Deploy-MaliciousWin32Exe/MSI - use IntuneWinAppUtil.exe to package the EXE/MSI and deploy to devices
      • check also here for managing iOS, Android, LOB apps etc. via graph
    • Update/Deploy-Policy - update existing rules for av, asr, etc. policy or deploy a new one with specific groups/devices
    • Invoke-MFASweep - port mfa sweep and add to outsider commands
    • Invoke-AADIntReconAsGuest and Invoke-AADIntUserEnumerationAsGuest - port from AADInternals
  • Options:
    • --proxy option

About

Modular cross-platform Microsoft Graph API (Entra, o365, and Intune) enumeration and exploitation toolkit

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages