-
Notifications
You must be signed in to change notification settings - Fork 12
Home
mc edited this page Jul 18, 2024
·
49 revisions
GraphPython covers external reconnaissance, authentication/token manipulation, enumeration, and post-exploitation of various Microsoft services, including Entra ID (Azure AD), Office 365 (Outlook, SharePoint, OneDrive, Teams), and Intune (Endpoint Management).
- All commands are case-insensitive
- All flags and switches are position-independent
- some commands will prompt the user for raw input
-
--token
is REQUIRED for all 'post-auth' and 'cleanup' commands - Flags in square brackets/italics below are OPTIONAL
- Flags without square brackets/italics are REQUIRED
Command | Description |
---|---|
Invoke-ReconAsOutsider --domain <domain.com> | Perform outsider recon of the target domain |
Invoke-UserEnumerationAsOutsider --username <email/emails.txt> | Checks whether the uer exists within Azure AD |
Command | Description |
---|---|
Get-GraphTokens | Obtain graph token via device code phish (saved to graph_tokens.txt) |
Get-TenantID --domain <domain> | Get tenant ID for target domain |
Get-TokenScope --token <token> | Get scope of supplied token |
Decode-AccessToken --token <token> | Get all token payload attributes |
Invoke-RefreshToMSGraphToken --token <refresh> --tenant <id> | Convert refresh token to Microsoft Graph token (saved to new_graph_tokens.txt) |
Invoke-RefreshToAzureManagementToken --token <refresh> --tenant <id> | Convert refresh token to Azure Management token (saved to az_tokens.txt) |
Invoke-RefreshToVaultToken --token <refresh> --tenant <id> | Convert refresh token to Azure Vault token (saved to vault_tokens.txt) |
Invoke-RefreshToMSTeamsToken --token <refresh> --tenant <id> | Convert refresh token to MS Teams token (saved to teams_tokens.txt) |
Invoke-RefreshToOfficeAppsToken --token <refresh> --tenant <id> | Convert refresh token to Office Apps token (saved to officeapps_tokens.txt) |
Invoke-RefreshToOfficeManagementToken --token <refresh> --tenant <id> | Convert refresh token to Office Management token (saved to officemanagement_tokens.txt) |
Invoke-RefreshToOutlookToken --token <refresh> --tenant <id> | Convert refresh token to Outlook token (saved to outlook_tokens.txt) |
Invoke-RefreshToSubstrateToken --token <refresh> --tenant <id> | Convert refresh token to Substrate token (saved to substrate_tokens.txt) |
Invoke-RefreshToYammerToken --token <refresh> --tenant <id> | Convert refresh token to Yammer token (saved to yammer_tokens.txt) |
Invoke-RefreshToIntuneEnrollmentToken --token <refresh> --tenant <id> | Convert refresh token to Intune Enrollment token (saved to intune_tokens.txt) |
Invoke-RefreshToOneDriveToken --token <refresh> --tenant <id> | Convert refresh token to OneDrive token (saved to onedrive_tokens.txt) |
Invoke-RefreshToSharePointToken --token <refresh> --tenant <id> | Convert refresh token to SharePoint token (saved to sharepoint_tokens.txt) |
Invoke-CertToAccessToken --cert <path to pfx> --id <app id> --tenant <id> | Convert Azure Application certificate to JWT access token (saved to cert_tokens.txt) |
Invoke-ESTSCookieToAccessToken --estsauthcookie <cookievalue> --tenant <id> | Convert ESTS cookie (ESTSAuthPersistent) to MS Graph access token (saved to estscookie_tokens.txt) |
Invoke-AppSecretToAccessToken --tenant <id> --id <appid> --secret <secretText> | Convert Azure Application secretText credentials to access token (saved to appsecret_tokens.txt) |
New-SignedJWT --token <\vault token> --tenant <id> | Construct JWT and sign using Key Vault PEM certificate (Azure Key Vault access token required) then generate Azure Management token |
Command | Description |
---|---|
Get-CurrentUser | Get current user profile |
Get-CurrentUserActivity | Get recent activity and actions of current user |
Get-OrgInfo | Get information relating to the target organization |
Get-Domains | Get domain objects |
Get-User [--id <userid/upn>] | Get all users (default) or target user (--id) |
Get-UserProperties [--id <userid/upn>] | Get current user properties (default) or target user (--id) !WARNING! loud/slow due to 403 errors when grouping properties |
Get-UserPrivileges [--id <userid/upn>] | Get group/AU memberships and directory roles assgined for current user (default) or target user (--id) |
Get-UserTransitiveGroupMembership [--id <userid/upn>] | Get transitive group memberships for current user (default) or target user (--id) |
Get-Group [--id <groupid>] | Get all groups (default) or target group (--id) |
Get-GroupMember --id <groupid> | Get all members of target group |
Get-UserAppRoleAssignments [--id <userid/upn>] | Get user app role assignments for current user (default) or target user (--id) |
Get-ConditionalAccessPolicy --id <cap id> | Get conditional access policy properties |
Get-Application --id <app id> | Get Enterprise Application details for app (NOT object) ID (--id) |
Get-AppServicePrincipal --id <app id> | Get details of the application's service principal from the app ID (--id) |
Get-ServicePrincipal --id <id> | Get Service Principal details (--id) |
Get-ServicePrincipalAppRoleAssignments --id <id> | Get Service Principal app role assignments (--id) |
Get-PersonalContacts | Get contacts of the current user |
Get-CrossTenantAccessPolicy | Get cross tenant access policy properties |
Get-PartnerCrossTenantAccessPolicy | Get partner cross tenant access policy |
Get-UserChatMessages --id <userid/upn> | Get all messages from all chats for target user |
Get-AdministrativeUnitMember --id <adminunitid> | Get members of administrative unit |
Get-OneDriveFiles [--id <userid/upn>] | Get all accessible OneDrive files for current user (default) or target user (--id) |
Get-UserPermissionGrants [--id <userid/upn>] | Get permissions grants of current user (default) or target user (--id) |
Get-oauth2PermissionGrants [--id <userid/upn>] | Get oauth2 permission grants for current user (default) or target user (--id) |
Get-Messages [--id <userid/upn>] | Get all messages in signed-in user's mailbox (default) or target user (--id) |
Get-TemporaryAccessPassword [--id <userid/upn>] | Get TAP details for current user (default) or target user (--id) |
Get-Password [--id <userid/upn>] | Get passwords registered to current user (default) or target user (--id) |
List-AuthMethods [--id <userid/upn>] | List authentication methods for current user (default) or target user (--id) |
List-DirectoryRoles | List all directory roles activated in the tenant |
List-Notebooks [--id <userid/upn>] | List current user notebooks (default) or target user (--id) |
List-ConditionalAccessPolicies | List conditional access policy objects |
List-ConditionalAuthenticationContexts | List conditional access authentication context |
List-ConditionalNamedLocations | List conditional access named locations |
List-SharePointRoot | List root SharePoint site properties |
List-SharePointSites | List any available SharePoint sites |
List-SharePointURLs | List SharePoint site web URLs visible to current user |
List-ExternalConnections | List external connections |
List-Applications | List all Azure Applications |
List-ServicePrincipals | List all service principals |
List-Tenants | List tenants |
List-JoinedTeams [--id <userid/upn>] | List joined teams for current user (default) or target user (--id) |
List-Chats [--id <userid/upn>] | List chats for current user (default) or target user (--id) |
List-Devices | List devices |
List-AdministrativeUnits | List administrative units |
List-OneDrives [--id <userid/upn>] | List current user OneDrive (default) or target user (--id) |
List-RecentOneDriveFiles | List current users recent OneDrive files |
List-SharedOneDriveFiles | List OneDrive files shared with the current user |
List-OneDriveURLs | List OneDrive web URLs visible to current user |
Command | Description |
---|---|
Invoke-CustomQuery --query <graph endpoint URL> | Custom GET query to target Graph API endpoint e.g. https://graph.microsoft.com/v1.0/me
|
Invoke-Search --search <string> --entity <entity> | Search for string within entity type (driveItem, message, chatMessage, site, event) |
Find-PrivilegedRoleUsers | Find users with privileged roles assigned |
Find-PrivilegedApplications | Find privileged apps (via their service principal) with granted admin consent API permissions |
Find-UpdatableGroups | Find groups which can be updated by the current user |
Find-DynamicGroups | Find groups with dynamic membership rules |
Find-SecurityGroups | Find security groups and group members |
Update-UserPassword --id <userid/upn> | Update the passwordProfile of the target user (NewUserS3cret@Pass!) |
Update-UserProperties --id <userid/upn> | Update the user properties of the target user |
Add-UserTAP --id <userid/upn> | Add new Temporary Access Password (TAP) to target user |
Add-GroupMember --id <groupid,objectidtoadd> | Add member to target group |
Add-ApplicationPassword --id <app object id> | Add client secret to target application |
Add-ApplicationCertificate --id <app object id> | Add client certificate to target application |
Add-ApplicationPermission --id <app id> | Add permission to target application e.g. Mail.Send and attempt to grant admin consent (app ID NOT app object ID for --id) |
Grant-AppAdminConsent --id <app id> | Grant admin consent for Graph API permission already assigned to enterprise application |
Create-Application | Create new enterprise application with default settings |
Create-NewUser | Create new Entra ID user |
Invite-GuestUser --tenant <tenantid> | Invite guest user to Entra ID |
Assign-PrivilegedRole | Assign chosen privileged role to user/group/object |
Open-OWAMailboxInBrowser --token <substrate/outlooktoken> | Open an OWA Office 365 mailbox in BurpSuite's embedded Chromium browser using either a Substrate.Office.com or Outlook.Office.com access token |
Dump-OWAMailbox --mail-folder <allitems/inbox/archive/drafts/sentitems/deleteditems/recoverableitemsdeletions> [--id <userid>] | Dump OWA Office 365 mailbox (default: current user) |
Spoof-OWAEmailMessage --email <emailbodyfile> [--id <useridtospoof>] | Send email from current user's Outlook mailbox or spoof another user (--id) |
Command | Description |
---|---|
Get-ManagedDevices | Get managed devices |
Get-UserDevices --id <userprincipalname> | Get user devices |
Get-CAPs | Get conditional access policies |
Get-DeviceCategories | Get device categories |
Get-DeviceComplianceSummary | Get device compliance summary |
Get-DeviceConfigurations | Get device configurations |
Get-DeviceConfigurationPolicies | Get device configuration policies and assignment details (av, asr, diskenc, etc.) |
Get-DeviceConfigurationPolicySettings --id <configpolicyid> | Get device configuration policy settings |
Get-DeviceEnrollmentConfigurations | Get device enrollment configurations |
Get-DeviceGroupPolicyConfigurations | Get device group policy configurations and assignment details |
Get-DeviceGroupPolicyDefinition --id <grouppolicyid> | Get device group policy definition |
Get-RoleDefinitions | Get role definitions |
Get-RoleAssignments | Get role assignments |
Use Get-DeviceConfigurationPolicies to identify the policyids with active assignments for the Display-* commands below
Command | Description |
---|---|
Dump-DeviceManagementScripts | Dump device management PowerShell scripts |
Dump-WindowsApps | Dump managed Windows OS applications (exe, msi, appx, msix, etc.) |
Dump-iOSApps | Dump managed iOS/iPadOS mobile applications |
Dump-macOSApps | Dump managed macOS applications |
Dump-AndroidApps | Dump managed Android mobile applications |
Get-ScriptContent --id <scriptid> | Get device management script content |
Backdoor-Script --id <scriptid> --script <backdoored.ps1> | Add malicious code to pre-existing device management script |
Deploy-MaliciousScript --script <script.ps1> | Deploy new malicious device management PowerShell script to all devices |
Display-AVPolicyRules --id <configpolicyid> | Display antivirus policy rules |
Display-ASRPolicyRules --id <configpolicyid> | Display Attack Surface Reduction (ASR) policy rules |
Display-DiskEncryptionPolicyRules --id <configpolicyid> | Display disk encryption policy rules |
Display-FirewallRulePolicyRules --id <configpolicyid> | Display firewall RULE policy rules (not firewall configuration policy) |
Display-EDRPolicyRules --id <configpolicyid> | Display EDR policy rules |
Display-LAPSAccountProtectionPolicyRules --id <configpolicyid> | Display LAPS account protection policy rules |
Display-UserGroupAccountProtectionPolicyRules --id <configpolicyid> | Display user group account protection policy rules |
Get-DeviceCompliancePolicies | Get device compliance policies |
Add-ExclusionGroupToPolicy --id <configpolicyid> | Bypass av, asr, etc. rules by adding an exclusion group containing compromised user or device |
Reboot-Device --id <deviceid> | Reboot managed device |
Retire-Device --id <deviceid> | Retire managed device |
Lock-Device --id <deviceid> | Lock managed device |
Shutdown-Device --id <deviceid> | Shutdown managed device |
Command | Description |
---|---|
Delete-User --id <userid> | Delete a user |
Delete-Group --id <groupid> | Delete a group |
Remove-GroupMember --id <objectid> | Remove user from a group |
Delete-Application --id <appid> | Delete an application |
Delete-Device --id <deviceid> | Delete managed device |
Wipe-Device --id <deviceid> | Wipe managed device |
Command | Description |
---|---|
Locate-ObjectID --id <object id> | Locate object ID and display object properties |
Locate-PermissionID --id <graph permission id> | Locate Graph permission ID details (application/delegated, description, admin consent required, ...) |