GraphRunner.ps1
GraphRunner includes a PowerShell set of tools to assist with carrying out various attacks during post-exploitation of a Microsoft Entra ID (Azure AD) tenant. Most of the modules rely on having authenticated access tokens. To assist with this there are multiple modules for obtaining and working with both user and application (service principal) tokens.
To get started, import GraphRunner into a new PowerShell session.
Import-Module .\GraphRunner.ps1
- Get-GraphTokens - Authenticate as a user to Microsoft Graph
- Invoke-RefreshGraphTokens - Use a refresh token to obtain new access tokens
- Get-AzureAppTokens - Complete OAuth flow as an app to obtain access tokens
- Invoke-RefreshAzureAppTokens - Use a refresh token and app credentials to refresh a token
- Invoke-AutoTokenRefresh - Refresh tokens at an interval
- Invoke-GraphRecon - Performs general recon for org info, user settings, directory sync settings, etc
- Invoke-DumpCAPS - Gets conditional access policies
- Invoke-DumpApps - Gets app registrations and external enterprise apps along with consent and scope info
- Get-AzureADUsers - Gets user directory
- Get-SecurityGroups - Gets security groups and members
- Get-UpdatableGroups - Gets groups that may be able to be modified by the current user
- Get-DynamicGroups - Finds dynamic groups and displays membership rules
- Get-SharePointSiteURLs - Gets a list of SharePoint site URLs visible to the current user
- Get-TenantID - From an unauthenticated context retrieves a tenant ID associated with a domain
- Invoke-GraphOpenInboxFinder - Checks each user’s inbox in a list to see if they are readable
- Get-TenantID - Retrieves the tenant GUID from the domain name
- Invoke-InjectOAuthApp - Injects an app registration into the tenant
- Invoke-SecurityGroupCloner - Clones a security group while using an identical name and member list but can inject another user as well
- Invoke-InviteGuest - Invites a guest user to the tenant
- Invoke-AddGroupMember - Adds a member to a group
- Invoke-SearchSharePointAndOneDrive - Search across all SharePoint sites and OneDrive drives visible to the user
- Invoke-ImmersiveFileReader - Open restricted files with the immersive reader
- Invoke-SearchMailbox - Has the ability to do deep searches across a user’s mailbox and can export messages
- Invoke-SearchTeams - Can search all Teams messages in all channels that are readable by the current user
- Invoke-SearchUserAttributes - Search for terms across all user attributes in a directory
- Get-Inbox - Gets the latest inbox items from a mailbox and can be used to read other user mailboxes (shared)
- Get-TeamsChat - Downloads full Teams chat conversations
- Invoke-GraphRunner - Runs Invoke-GraphRecon, Get-AzureADUsers, Get-SecurityGroups, Invoke-DumpCAPS, Invoke-DumpApps, and then uses the default_detectors.json file to search with Invoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, and Invoke-SearchTeams.
- Invoke-AutoOAuthFlow - Automates the OAuth flow completion to obtain access and refresh keys when a user grants consent to an app registration
- Invoke-DeleteOAuthApp - Delete an OAuth App
- Invoke-DeleteGroup - Delete a group
- Invoke-RemoveGroupMember - Module for removing users/members from groups
- Invoke-DriveFileDownload - Has the ability to download single files from SharePoint and OneDrive as the current user
- Invoke-CheckAccess - Check if tokens are valid
- Invoke-HTTPServer - A basic web server to use for accessing the emailviewer that is output from Invoke-SearchMailbox
- Invoke-BruteClientIDAccess - Test different client_id's against MSGraph to determine permissions
- Invoke-ImportTokens - Import tokens from other tools for use in GraphRunner
- Get-UserObjectID - Retrieves an Object ID for a user