A browser-based Microsoft Graph API post-exploitation framework.
GraphRobber was developed during my time working at Booz Allen Hamilton on the commercial Red Team.
GraphRobber began as a small project of updating currently available tooling available for performing Azure post-exploitation through Microsoft Graph. It evolved into a fully featured browser interface for performing Microsoft Azure Post Exploitation during offensive engagements.
GraphRobber is built off of many pre-existing tools and researchers in an easy to use fully implemented tool. Please support the original creators for their incredible research on Azure attacks and capabilities. GraphSpy was my original inspiration for the idea, unlike GraphSpy GraphRobber is strictly the Microsoft Graph APIs for Microsft Outlook & Microsoft Teams. If you need substrate or skype access check out the original repository.
| Tool | Author | Features built off |
|---|---|---|
| GraphSpy | RedByte1337 | Initial Inspiration architecture, token management, MFA operations, PRT and Device Certificates exchange |
| GraphRunner | Beau Bullock (@daborhack) | Enumeration patterns, graph application scopes, sharepoint and onedrive searchingss |
| AzureHound | SpecterOps / BloodHound | Entra ID enumeration schema, BloodHound readys format, relationship mapping, role assignment collection |
| ROADtools | Dirk-jan Mollema (@_dirkjan) | PRT use, session key derivation, Kerberos SSO, WS-Trust SAML exchange |
| Pytune | Researched and presented by Yuya Chudo at Black Hat EU 2024 | Intune MDM enrollment, app download, device profile spoofing, compliance manipulation |
- Quick Auth -- Device code phishing with client ID picker
- Username & Password -- Direct credential authentication
- App Secret Auth -- Service principal authentication with client credentials
- Kerberos SSO -- Kerberos service ticket to OAuth2 token exchange
- PRT Cookie Exchange -- Exchange PRT cookies for tokens or inject into a browser
- Browser Cookie Auth -- Exchange stolen ESTSAUTHPERSISTENT browser cookies for tokens.
- Access Tokens -- Import, decode, describe, bulk delete, clear expired
- Refresh Tokens -- Store, exchange across resources (v1/v2), FOCI cross-client exchange
- Temporary Access Pass -- Create TAPs for self or target users. Check TAP policy, list/delete existing TAPs.
- Device Registration -- Register Entra Joined, Entra Registered, or Hybrid Joined devices
- Hybrid Join -- AD computer creation via SAMR + Entra hybrid registration
- PRT Acquisition -- Request PRTs using device cert + refresh token.
- PRT Cookie Generation -- Generate browser SSO cookies from stored PRTs
- Browser Injection -- Launch Chrome/Edge with PRT or Kerberos cookie injected
- Kerberos TGT Export -- Export captured on-prem partial TGTs as .ccache files
- Enumerate Methods -- List MFA methods on target accounts
- Register Methods -- Add TOTP, phone, email, or FIDO2 keys
- OTP Generation -- Generate codes from enrolled TOTP seeds
- Bulk Management -- Select all / bulk delete OTP entries
- User Enumeration -- Users with group memberships, role assignments, owned objects
- EntraHound Collection -- Full tenant enumeration with parallel collection and adaptive rate limiting
- BloodHound Export -- AzureHound-esq JSON for BloodHound CE
- Application Scope OpenGraph Export -- App permission properties added to BloodHound nodes
- Dynamic Groups -- Enumerate dynamic groups, flag weak rules on mutable attributes
- Conditional Access -- CA policy enumeration with gap analysis
- Cross-Tenant Recon -- Discover partner tenants, B2B trust settings (MFA, compliance, hybrid join trust), cross-tenant synchronization status, and delegated admin relationships
- Outlook -- Read, search, compose, send, reply, delete emails.
- Teams -- List chats/teams/channels, read messages with threaded replies, search with from/to context, send messages and channel replies
- SharePoint & OneDrive -- Browse, search, upload, download, delete files.
- Recent Files -- Browse recently accessed files
- Calendar -- View calendar events with attendees, body content, and meeting URLs. Free/busy schedule check on other users. Meeting room enumeration for org recon.
- OneNote -- Browse notebooks (personal + group), search page content with keyword presets, view pages as rendered HTML.
- User Insights -- Low-noise recon: top contacts (People API), recently used documents, trending files, shared items.
- Refresh Enrollment -- Enroll with just a refresh token, no device cert or PRT needed
- Full Enrollment -- Device registration + PRT + Intune enrollment
- Script Download -- PowerShell scripts with encrypted body decryption
- Win32 App Download -- .intunewin packages with S/MIME + AES decryption
- Remediation Scripts -- Detection + remediation script pair download
- Domain Join Extraction -- Parse Autopilot blobs for computer credentials and DC IPs
- PIM Activation -- Check and activate PIM-eligible roles. Pre-populated justification text, duration picker, deactivation for cleanup.
- Password Reset -- Reset user passwords
- OAuth App Injection -- Create backdoor apps with secrets, permissions, and one-click auth
- App Recon -- Add secrets to owned apps. Toggle single/multi-tenant. Grant app role assignments and delegated permissions post-escalation.
- Group Management -- Add/remove group members with search and preview
- Guest Invitation -- Invite guests with optional stealth mode and attribute setting
- Client Scopes -- Browse 1,000+ pre-consented client IDs with permissions and FOCI status
- Access Packages -- List and request Entitlement Management access packages.
- SOCKS5/HTTP Proxy -- Route all API traffic through a proxy
- Multi-Database Support -- Manage multiple databases for fresh storage during long running engagements
- Python 3.10+
- openssl on system PATH -- required for Intune Win32 app and script decryption
cd GraphRobber
python3 -m venv venv
# Linux/macOS
source venv/bin/activate
# Windows
venv\Scripts\activate
pip install .graphrobberStarts on http://127.0.0.1:1337 by default.
graphrobber [-h] [-i INTERFACE] [-p PORT] [-d DATABASE] [--debug] [--full-requests]
Options:
-i, --interface Interface to bind to (default: 127.0.0.1, use 0.0.0.0 for all)
-p, --port Port to bind to (default: 1337)
-d, --database Database filename (default: database.db)
--debug Enable Flask debug mode with detailed stack traces
--full-requests Log all API requests (200s included). Default only logs errors/warnings.
GraphRobber is intended for authorized security testing only. Use of this tool against systems without explicit written permission is illegal and unethical. The authors assume no liability for misuse. Always obtain proper authorization before conducting any penetration testing activities.
The views and opinions expressed in this repoistory are those of the author and do not necessarily reflect the official policy, position, or values of Booz Allen. Booz Allen does not claim or endorse any statements made herein.