Skip to content
mc edited this page Jul 21, 2024 · 49 revisions

GraphPython covers external reconnaissance, authentication/token manipulation, enumeration, and post-exploitation of various Microsoft services, including Entra ID (Azure AD), Office 365 (Outlook, SharePoint, OneDrive, Teams), and Intune (Endpoint Management).

  • All commands are case-insensitive
  • All flags and switches are position-independent
    • some commands will prompt the user for raw input
  • --token is REQUIRED for all 'post-auth' and 'cleanup' commands
  • Flags in square brackets/italics below are OPTIONAL
  • Flags without square brackets/italics are REQUIRED

Outsider

Command Description
Invoke-ReconAsOutsider --domain <domain.com> Perform outsider recon of the target domain
Invoke-UserEnumerationAsOutsider --username <email/emails.txt> Checks whether the uer exists within Azure AD

Authentication

Command Description
Get-GraphTokens Obtain graph token via device code phish (saved to graph_tokens.txt)
Get-TenantID --domain <domain> Get tenant ID for target domain
Get-TokenScope --token <token> Get scope of supplied token
Decode-AccessToken --token <token> Get all token payload attributes
Invoke-RefreshToMSGraphToken --token <refresh> --tenant <id> Convert refresh token to Microsoft Graph token (saved to new_graph_tokens.txt)
Invoke-RefreshToAzureManagementToken --token <refresh> --tenant <id> Convert refresh token to Azure Management token (saved to az_tokens.txt)
Invoke-RefreshToVaultToken --token <refresh> --tenant <id> Convert refresh token to Azure Vault token (saved to vault_tokens.txt)
Invoke-RefreshToMSTeamsToken --token <refresh> --tenant <id> Convert refresh token to MS Teams token (saved to teams_tokens.txt)
Invoke-RefreshToOfficeAppsToken --token <refresh> --tenant <id> Convert refresh token to Office Apps token (saved to officeapps_tokens.txt)
Invoke-RefreshToOfficeManagementToken --token <refresh> --tenant <id> Convert refresh token to Office Management token (saved to officemanagement_tokens.txt)
Invoke-RefreshToOutlookToken --token <refresh> --tenant <id> Convert refresh token to Outlook token (saved to outlook_tokens.txt)
Invoke-RefreshToSubstrateToken --token <refresh> --tenant <id> Convert refresh token to Substrate token (saved to substrate_tokens.txt)
Invoke-RefreshToYammerToken --token <refresh> --tenant <id> Convert refresh token to Yammer token (saved to yammer_tokens.txt)
Invoke-RefreshToIntuneEnrollmentToken --token <refresh> --tenant <id> Convert refresh token to Intune Enrollment token (saved to intune_tokens.txt)
Invoke-RefreshToOneDriveToken --token <refresh> --tenant <id> Convert refresh token to OneDrive token (saved to onedrive_tokens.txt)
Invoke-RefreshToSharePointToken --token <refresh> --tenant <id> Convert refresh token to SharePoint token (saved to sharepoint_tokens.txt)
Invoke-CertToAccessToken --cert <path to pfx> --id <app id> --tenant <id> Convert Azure Application certificate to JWT access token (saved to cert_tokens.txt)
Invoke-ESTSCookieToAccessToken --estsauthcookie <cookievalue> --tenant <id> Convert ESTS cookie (ESTSAuthPersistent) to MS Graph access token (saved to estscookie_tokens.txt)
Invoke-AppSecretToAccessToken --tenant <id> --id <appid> --secret <secretText> Convert Azure Application secretText credentials to access token (saved to appsecret_tokens.txt)
New-SignedJWT --token <\vault token> --tenant <id> Construct JWT and sign using Key Vault PEM certificate (Azure Key Vault access token required) then generate Azure Management token

Post-Auth Enumeration

Command Description
Get-CurrentUser Get current user profile
Get-CurrentUserActivity Get recent activity and actions of current user
Get-OrgInfo Get information relating to the target organization
Get-Domains Get domain objects
Get-User [--id <userid/upn>] Get all users (default) or target user (--id)
Get-UserProperties [--id <userid/upn>] Get current user properties (default) or target user (--id) !WARNING! loud/slow due to 403 errors when grouping properties
Get-UserPrivileges [--id <userid/upn>] Get group/AU memberships and directory roles assgined for current user (default) or target user (--id)
Get-UserTransitiveGroupMembership [--id <userid/upn>] Get transitive group memberships for current user (default) or target user (--id)
Get-Group [--id <groupid>] Get all groups (default) or target group (--id)
Get-GroupMember --id <groupid> Get all members of target group
Get-UserAppRoleAssignments [--id <userid/upn>] Get user app role assignments for current user (default) or target user (--id)
Get-ConditionalAccessPolicy --id <cap id> Get conditional access policy properties
Get-Application --id <app id> Get Enterprise Application details for app (NOT object) ID (--id)
Get-AppServicePrincipal --id <app id> Get details of the application's service principal from the app ID (--id)
Get-ServicePrincipal --id <id> Get Service Principal details (--id)
Get-ServicePrincipalAppRoleAssignments --id <id> Get Service Principal app role assignments (--id)
Get-PersonalContacts Get contacts of the current user
Get-CrossTenantAccessPolicy Get cross tenant access policy properties
Get-PartnerCrossTenantAccessPolicy Get partner cross tenant access policy
Get-UserChatMessages --id <userid/upn> Get all messages from all chats for target user
Get-AdministrativeUnitMember --id <adminunitid> Get members of administrative unit
Get-OneDriveFiles [--id <userid/upn>] Get all accessible OneDrive files for current user (default) or target user (--id)
Get-UserPermissionGrants [--id <userid/upn>] Get permissions grants of current user (default) or target user (--id)
Get-oauth2PermissionGrants [--id <userid/upn>] Get oauth2 permission grants for current user (default) or target user (--id)
Get-Messages [--id <userid/upn>] Get all messages in signed-in user's mailbox (default) or target user (--id)
Get-TemporaryAccessPassword [--id <userid/upn>] Get TAP details for current user (default) or target user (--id)
Get-Password [--id <userid/upn>] Get passwords registered to current user (default) or target user (--id)
List-AuthMethods [--id <userid/upn>] List authentication methods for current user (default) or target user (--id)
List-DirectoryRoles List all directory roles activated in the tenant
List-Notebooks [--id <userid/upn>] List current user notebooks (default) or target user (--id)
List-ConditionalAccessPolicies List conditional access policy objects
List-ConditionalAuthenticationContexts List conditional access authentication context
List-ConditionalNamedLocations List conditional access named locations
List-SharePointRoot List root SharePoint site properties
List-SharePointSites List any available SharePoint sites
List-SharePointURLs List SharePoint site web URLs visible to current user
List-ExternalConnections List external connections
List-Applications List all Azure Applications
List-ServicePrincipals List all service principals
List-Tenants List tenants
List-JoinedTeams [--id <userid/upn>] List joined teams for current user (default) or target user (--id)
List-Chats [--id <userid/upn>] List chats for current user (default) or target user (--id)
List-Devices List devices
List-AdministrativeUnits List administrative units
List-OneDrives [--id <userid/upn>] List current user OneDrive (default) or target user (--id)
List-RecentOneDriveFiles List current users recent OneDrive files
List-SharedOneDriveFiles List OneDrive files shared with the current user
List-OneDriveURLs List OneDrive web URLs visible to current user

Post-Auth Exploitation

Command Description
Invoke-CustomQuery --query <graph endpoint URL> Custom GET query to target Graph API endpoint e.g. https://graph.microsoft.com/v1.0/me
Invoke-Search --search <string> --entity <entity> Search for string within entity type (driveItem, message, chatMessage, site, event)
Find-PrivilegedRoleUsers Find users with privileged roles assigned
Find-PrivilegedApplications Find privileged apps (via their service principal) with granted admin consent API permissions
Find-UpdatableGroups Find groups which can be updated by the current user
Find-DynamicGroups Find groups with dynamic membership rules
Find-SecurityGroups Find security groups and group members
Update-UserPassword --id <userid/upn> Update the passwordProfile of the target user (NewUserS3cret@Pass!)
Update-UserProperties --id <userid/upn> Update the user properties of the target user
Add-UserTAP --id <userid/upn> Add new Temporary Access Password (TAP) to target user
Add-GroupMember --id <groupid,objectidtoadd> Add member to target group
Add-ApplicationPassword --id <app object id> Add client secret to target application
Add-ApplicationCertificate --id <app object id> Add client certificate to target application
Add-ApplicationPermission --id <app id> Add permission to target application e.g. Mail.Send and attempt to grant admin consent (app ID NOT app object ID for --id)
Grant-AppAdminConsent --id <app id> Grant admin consent for Graph API permission already assigned to enterprise application
Create-Application Create new enterprise application with default settings
Create-NewUser Create new Entra ID user
Invite-GuestUser --tenant <tenantid> Invite guest user to Entra ID
Assign-PrivilegedRole Assign chosen privileged role to user/group/object
Open-OWAMailboxInBrowser --token <substrate/outlooktoken> Open an OWA Office 365 mailbox in BurpSuite's embedded Chromium browser using either a Substrate.Office.com or Outlook.Office.com access token
Dump-OWAMailbox --mail-folder <allitems/inbox/archive/drafts/sentitems/deleteditems/recoverableitemsdeletions> [--id <userid>] Dump OWA Office 365 mailbox (default: current user)
Spoof-OWAEmailMessage --email <emailbodyfile> [--id <useridtospoof>] Send email from current user's Outlook mailbox or spoof another user (--id)

Post-Auth Intune Enumeration

Command Description
Get-ManagedDevices Get managed devices
Get-UserDevices --id <userprincipalname> Get user devices
Get-CAPs Get conditional access policies
Get-DeviceCategories Get device categories
Get-DeviceComplianceSummary Get device compliance summary
Get-DeviceConfigurations Get device configurations
Get-DeviceConfigurationPolicies Get device configuration policies and assignment details (av, asr, diskenc, etc.)
Get-DeviceConfigurationPolicySettings --id <configpolicyid> Get device configuration policy settings
Get-DeviceEnrollmentConfigurations Get device enrollment configurations
Get-DeviceGroupPolicyConfigurations Get device group policy configurations and assignment details
Get-DeviceGroupPolicyDefinition --id <grouppolicyid> Get device group policy definition
Get-RoleDefinitions Get role definitions
Get-RoleAssignments Get role assignments
Get-DeviceCompliancePolicies Get all device compliance policies (AV, ASR, Bitlocker, Firewall, EDR, LAPS) and assignments

Post-Auth Intune Exploitation

Use Get-DeviceConfigurationPolicies to identify the policyids with active assignments for the Display-* commands below

Command Description
Dump-DeviceManagementScripts Dump device management PowerShell scripts
Dump-WindowsApps Dump managed Windows OS applications (exe, msi, appx, msix, etc.)
Dump-iOSApps Dump managed iOS/iPadOS mobile applications
Dump-macOSApps Dump managed macOS applications
Dump-AndroidApps Dump managed Android mobile applications
Get-ScriptContent --id <scriptid> Get device management script content
Backdoor-Script --id <scriptid> --script <backdoored.ps1> Add malicious code to pre-existing device management script
Deploy-MaliciousScript --script <script.ps1> Deploy new malicious device management PowerShell script to all devices
Display-AVPolicyRules --id <configpolicyid> Display antivirus policy rules
Display-ASRPolicyRules --id <configpolicyid> Display Attack Surface Reduction (ASR) policy rules
Display-DiskEncryptionPolicyRules --id <configpolicyid> Display disk encryption policy rules
Display-FirewallConfigPolicyRules --id <configpoliyid> Display firewall configuration policy rules
Display-FirewallRulePolicyRules --id <configpolicyid> Display firewall RULE policy rules (not firewall configuration policy)
Display-EDRPolicyRules --id <configpolicyid> Display EDR policy rules
Display-LAPSAccountProtectionPolicyRules --id <configpolicyid> Display LAPS account protection policy rules
Display-UserGroupAccountProtectionPolicyRules --id <configpolicyid> Display user group account protection policy rules
Add-ExclusionGroupToPolicy --id <configpolicyid> Bypass av, asr, etc. rules by adding an exclusion group containing compromised user or device
Reboot-Device --id <deviceid> Reboot managed device
Retire-Device --id <deviceid> Retire managed device
Lock-Device --id <deviceid> Lock managed device
Shutdown-Device --id <deviceid> Shutdown managed device
Update-DeviceConfig --id <deviceid> Update properties of the managed device configuration

Cleanup

Command Description
Delete-User --id <userid> Delete a user
Delete-Group --id <groupid> Delete a group
Remove-GroupMember --id <objectid> Remove user from a group
Delete-Application --id <appid> Delete an application
Delete-Device --id <deviceid> Delete managed device
Wipe-Device --id <deviceid> Wipe managed device

Locators

Command Description
Locate-ObjectID --id <object id> Locate object ID and display object properties
Locate-PermissionID --id <graph permission id> Locate Graph permission ID details (application/delegated, description, admin consent required, ...)
Clone this wiki locally