Graphpython

<p align="center"> <img src="./.github/python.png" /> </p>

Graphpython is a modular Python tool for cross-platform Microsoft Graph API enumeration and exploitation. It builds upon the capabilities of AADInternals (Killchain.ps1), GraphRunner, and TokenTactics(V2) to provide a comprehensive solution for interacting with the Microsoft Graph API for red team and cloud assumed breach operations.

Graphpython covers external reconnaissance, authentication/token manipulation, enumeration, and post-exploitation of various Microsoft services, including Entra ID (Azure AD), Office 365 (Outlook, SharePoint, OneDrive, Teams), and Intune (Endpoint Management).

Index

• Installation
• Usage
• Commands
• Demos

Installation

Graphpython is designed to be cross-platform, ensuring compatibility with both Windows and Linux based operating systems:

git clone https://github.com/mlcsec/Graphpython.git
cd Graphpython
pip install .

bashCopy
Graphpython -h
# or
python3 Graphpython.py -h

Usage

Please refer to the Wiki for more details

<p align="center"> <img src="./.github/usage.png" /> </p>

Commands

Please refer to the Wiki for more details on the available commands

Outsider

• Invoke-ReconAsOutsider
• Invoke-UserEnumerationAsOutsider

Authentication

• Get-GraphTokens
• Get-TenantID
• Get-TokenScope
• Decode-AccessToken
• Invoke-RefreshToMSGraphToken
• Invoke-RefreshToAzureManagementToken
• Invoke-RefreshToVaultToken
• Invoke-RefreshToMSTeamsToken
• Invoke-RefreshToOfficeAppsToken
• Invoke-RefreshToOfficeManagementToken
• Invoke-RefreshToOutlookToken
• Invoke-RefreshToSubstrateToken
• Invoke-RefreshToYammerToken
• Invoke-RefreshToIntuneEnrollmentToken
• Invoke-RefreshToOneDriveToken
• Invoke-RefreshToSharePointToken
• Invoke-CertToAccessToken
• Invoke-ESTSCookieToAccessToken
• Invoke-AppSecretToAccessToken
• New-SignedJWT

Post-Auth Enumeration

• Get-CurrentUser
• Get-CurrentUserActivity
• Get-OrgInfo
• Get-Domains
• Get-User
• Get-UserProperties
• Get-UserGroupMembership
• Get-UserTransitiveGroupMembership
• Get-Group
• Get-GroupMember
• Get-AppRoleAssignments
• Get-ConditionalAccessPolicy
• Get-Application
• Get-AppServicePrincipal
• Get-ServicePrincipal
• Get-ServicePrincipalAppRoleAssignments
• Get-PersonalContacts
• Get-CrossTenantAccessPolicy
• Get-PartnerCrossTenantAccessPolicy
• Get-UserChatMessages
• Get-AdministrativeUnitMember
• Get-OneDriveFiles
• Get-UserPermissionGrants
• Get-oauth2PermissionGrants
• Get-Messages
• Get-TemporaryAccessPassword
• Get-Password
• List-AuthMethods
• List-DirectoryRoles
• List-Notebooks
• List-ConditionalAccessPolicies
• List-ConditionalAuthenticationContexts
• List-ConditionalNamedLocations
• List-SharePointRoot
• List-SharePointSites
• List-SharePointURLs
• List-ExternalConnections
• List-Applications
• List-ServicePrincipals
• List-Tenants
• List-JoinedTeams
• List-Chats
• List-ChatMessages
• List-Devices
• List-AdministrativeUnits
• List-OneDrives
• List-RecentOneDriveFiles
• List-SharedOneDriveFiles
• List-OneDriveURLs

Post-Auth Exploitation

• Invoke-CustomQuery
• Invoke-Search
• Find-PrivilegedRoleUsers
• Find-PrivilegedApplications
• Find-UpdatableGroups
• Find-SecurityGroups
• Find-DynamicGroups
• Update-UserPassword
• Update-UserProperties
• Add-UserTAP
• Add-GroupMember
• Add-ApplicationPassword
• Add-ApplicationCertificate
• Add-ApplicationPermission
• Grant-AppAdminConsent
• Create-Application
• Create-NewUser
• Invite-GuestUser
• Assign-PrivilegedRole
• Open-OWAMailboxInBrowser
• Dump-OWAMailbox
• Spoof-OWAEmailMessage

Post-Auth Intune Enumeration

• Get-ManagedDevices
• Get-UserDevices
• Get-CAPs
• Get-DeviceCategories
• Get-DeviceComplianceSummary
• Get-DeviceConfigurations
• Get-DeviceConfigurationPolicySettings
• Get-DeviceEnrollmentConfigurations
• Get-DeviceGroupPolicyConfigurations
• Get-DeviceGroupPolicyDefinition
• Get-RoleDefinitions
• Get-RoleAssignments
• Get-DeviceCompliancePolicies
• Get-DeviceConfigurationPolicies

Post-Auth Intune Exploitation

• Dump-DeviceManagementScripts
• Dump-WindowsApps
• Dump-iOSApps
• Dump-macOSApps
• Dump-AndroidApps
• Get-ScriptContent
• Backdoor-Script
• Deploy-MaliciousScript
• Deploy-MaliciousWebLink
• Display-AVPolicyRules
• Display-ASRPolicyRules
• Display-DiskEncryptionPolicyRules
• Display-FirewallConfigPolicyRules
• Display-FirewallRulePolicyRules
• Display-EDRPolicyRules
• Display-LAPSAccountProtectionPolicyRules
• Display-UserGroupAccountProtectionPolicyRules
• Add-ExclusionGroupToPolicy
• Reboot-Device
• Lock-Device
• Shutdown-Device
• Update-DeviceConfig

Cleanup

• Delete-User
• Delete-Group
• Remove-GroupMember
• Delete-Application
• Delete-Device
• Wipe-Device
• Retire-Device

Locators

• Locate-ObjectID
• Locate-PermissionID
• Locate-DirectoryRole

<br>

Demos

Please refer to the Wiki for the following demos

• Outsider
  • Invoke-ReconAsOutsider
  • Invoke-UserEnumerationAsOutsider
• Authentication
  • Get-GraphTokens
  • Get-TenantID
  • Invoke-RefreshToAzureManagementToken
  • Invoke-RefreshToMSGraphToken
  • Invoke-CertToAccessToken
  • Invoke-ESTSCookieToAccessToken
• Post-Auth Enumeration
  • Get-CurrentUser
  • Get-User
  • Get-Group
  • Get-UserPrivileges
  • Get-Domains
  • Get-Application
  • List-RecentOneDriveFiles
• Post-Auth Exploitation
  • Invite-GuestUser
  • Find-PrivilegedRoleUsers
  • Assign-PrivilegedRole
  • Find-PrivilegedApplications
  • Add-ApplicationCertificate
  • Add-ApplicationPermission
  • Spoof-OWAEmailMessage
  • Find-DynamicGroups
  • Find-UpdatableGroups
  • Invoke-Search
• Post-Auth Intune Enumeration
  • Get-ManagedDevices
  • Get-UserDevices
  • Get-DeviceCompliancePolicies
  • Get-DeviceConfigurationPolicies
• Post-Auth Intune Exploitation
  • Display-AVPolicyRules
  • Get-ScriptContent
  • Backdoor-Script
  • Deploy-MaliciousScript
  • Deploy-MaliciousWebLink
  • Add-ExclusionGroupToPolicy
• Cleanup
  • Remove-GroupMember
• Locators
  • Locate-ObjectID
  • Locate-PermissionID
  • Locate-DirectoryRole

<br>

Acknowledgements and References

• AADInternals
• GraphRunner
• TokenTactics and TokenTacticsV2
• https://learn.microsoft.com/en-us/graph/permissions-reference
• https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference
• https://graphpermissions.merill.net/

<br>

Todo

• Update:
  • Add nextlink for get-user and get-group
  • Get-UserPrivileges - update to flag any privileged directory role app ids green
  • Locate-DirectoryRoleID - similar to other locator functions but for resolving directory role ids
  • Deploy-MaliciousWebLink - add option to deploy script which copies new windows web app link to all user desktops
• New:
  • Deploy-MaliciousWin32Exe/MSI - use IntuneWinAppUtil.exe to package the EXE/MSI and deploy to devices
    • check also here for managing iOS, Android, LOB apps etc. via graph
  • Update/Deploy-Policy - update existing rules for av, asr, etc. policy or deploy a new one with specific groups/devices
  • Invoke-MFASweep - port mfa sweep and add to outsider commands
  • Invoke-AADIntReconAsGuest and Invoke-AADIntUserEnumerationAsGuest - port from AADInternals
• Options:
  • --proxy option