- Notifications
You must be signed in to change notification settings - Fork 16
Commands
mc edited this page Jul 28, 2024 · 9 revisions
Graphpython covers external reconnaissance, authentication and token manipulation, enumeration, and post-exploitation of various Microsoft services, including Entra ID (Azure AD), Office 365 (Outlook, SharePoint, OneDrive, Teams), and Intune (Endpoint Management).
The commands are categorised into the following sections:
- Outsider
- Authentication
- Post-Auth Enumeration
- Post-Auth Exploitation
- Post-Auth Intune Enumeration
- Post-Auth Intune Exploitation
- Cleanup
- Locators
Please keep the following in mind:
- All commands are case-insensitive
- All flags and switches are position-independent
- some commands will prompt the user for raw input
- Flags in square brackets/italics below are OPTIONAL
- flags without square brackets/italics are REQUIRED
| Command | Description |
|---|---|
| Invoke-ReconAsOutsider --domain <domain.com> | Perform outsider recon of the target domain |
| Invoke-UserEnumerationAsOutsider --username <email/emails.txt> | Checks whether the uer exists within Azure AD |
| Command | Description |
|---|---|
| Get-GraphTokens | Obtain graph token via device code phish (saved to graph_tokens.txt) |
| Get-TenantID --domain <domain> | Get tenant ID for target domain |
| Get-TokenScope --token <token> | Get scope of supplied token |
| Decode-AccessToken --token <token> | Get all token payload attributes |
| Invoke-RefreshToMSGraphToken --token <refresh> --tenant <id> | Convert refresh token to Microsoft Graph token (saved to new_graph_tokens.txt) |
| Invoke-RefreshToAzureManagementToken --token <refresh> --tenant <id> | Convert refresh token to Azure Management token (saved to az_tokens.txt) |
| Invoke-RefreshToVaultToken --token <refresh> --tenant <id> | Convert refresh token to Azure Vault token (saved to vault_tokens.txt) |
| Invoke-RefreshToMSTeamsToken --token <refresh> --tenant <id> | Convert refresh token to MS Teams token (saved to teams_tokens.txt) |
| Invoke-RefreshToOfficeAppsToken --token <refresh> --tenant <id> | Convert refresh token to Office Apps token (saved to officeapps_tokens.txt) |
| Invoke-RefreshToOfficeManagementToken --token <refresh> --tenant <id> | Convert refresh token to Office Management token (saved to officemanagement_tokens.txt) |
| Invoke-RefreshToOutlookToken --token <refresh> --tenant <id> | Convert refresh token to Outlook token (saved to outlook_tokens.txt) |
| Invoke-RefreshToSubstrateToken --token <refresh> --tenant <id> | Convert refresh token to Substrate token (saved to substrate_tokens.txt) |
| Invoke-RefreshToYammerToken --token <refresh> --tenant <id> | Convert refresh token to Yammer token (saved to yammer_tokens.txt) |
| Invoke-RefreshToIntuneEnrollmentToken --token <refresh> --tenant <id> | Convert refresh token to Intune Enrollment token (saved to intune_tokens.txt) |
| Invoke-RefreshToOneDriveToken --token <refresh> --tenant <id> | Convert refresh token to OneDrive token (saved to onedrive_tokens.txt) |
| Invoke-RefreshToSharePointToken --token <refresh> --tenant <id> | Convert refresh token to SharePoint token (saved to sharepoint_tokens.txt) |
| Invoke-CertToAccessToken --cert <path to pfx> --id <app id> --tenant <id> | Convert Azure Application certificate to JWT access token (saved to cert_tokens.txt) |
| Invoke-ESTSCookieToAccessToken --estsauthcookie <cookievalue> --tenant <id> | Convert ESTS cookie (ESTSAuthPersistent) to MS Graph access token (saved to estscookie_tokens.txt) |
| Invoke-AppSecretToAccessToken --tenant <id> --id <appid> --secret <secretText> | Convert Azure Application secretText credentials to access token (saved to appsecret_tokens.txt) |
| New-SignedJWT --token <\vault token> --tenant <id> | Construct JWT and sign using Key Vault PEM certificate (Azure Key Vault access token required) then generate Azure Management token |
| Command | Description |
|---|---|
| Get-CurrentUser | Get current user profile |
| Get-CurrentUserActivity | Get recent activity and actions of current user |
| Get-OrgInfo | Get information relating to the target organization |
| Get-Domains | Get domain objects |
| Get-User[--id <userid/upn>] | Get all users (default) or target user (--id) |
| Get-UserProperties[--id <userid/upn>] | Get current user properties (default) or target user (--id) !WARNING! loud/slow due to 403 errors when grouping properties |
| Get-UserPrivileges[--id <userid/upn>] | Get group/AU memberships and directory roles assgined for current user (default) or target user (--id) |
| Get-UserTransitiveGroupMembership[--id <userid/upn>] | Get transitive group memberships for current user (default) or target user (--id) |
| Get-Group[--id <groupid>] | Get all groups (default) or target group (--id) |
| Get-GroupMember --id <groupid> | Get all members of target group |
| Get-UserAppRoleAssignments[--id <userid/upn>] | Get user app role assignments for current user (default) or target user (--id) |
| Get-ConditionalAccessPolicy --id <cap id> | Get conditional access policy properties |
| Get-Application --id <app id> | Get Enterprise Application details for app (NOT object) ID (--id) |
| Get-AppServicePrincipal --id <app id> | Get details of the application's service principal from the app ID (--id) |
| Get-ServicePrincipal --id <id> | Get Service Principal details (--id) |
| Get-ServicePrincipalAppRoleAssignments --id <id> | Get Service Principal app role assignments (--id) |
| Get-PersonalContacts | Get contacts of the current user |
| Get-CrossTenantAccessPolicy | Get cross tenant access policy properties |
| Get-PartnerCrossTenantAccessPolicy | Get partner cross tenant access policy |
| Get-UserChatMessages --id <userid/upn> | Get all messages from all chats for target user |
| Get-AdministrativeUnitMember --id <adminunitid> | Get members of administrative unit |
| Get-OneDriveFiles[--id <userid/upn>] | Get all accessible OneDrive files for current user (default) or target user (--id) |
| Get-UserPermissionGrants[--id <userid/upn>] | Get permissions grants of current user (default) or target user (--id) |
| Get-oauth2PermissionGrants[--id <userid/upn>] | Get oauth2 permission grants for current user (default) or target user (--id) |
| Get-Messages[--id <userid/upn>] | Get all messages in signed-in user's mailbox (default) or target user (--id) |
| Get-TemporaryAccessPassword[--id <userid/upn>] | Get TAP details for current user (default) or target user (--id) |
| Get-Password[--id <userid/upn>] | Get passwords registered to current user (default) or target user (--id) |
| List-AuthMethods[--id <userid/upn>] | List authentication methods for current user (default) or target user (--id) |
| List-DirectoryRoles | List all directory roles activated in the tenant |
| List-Notebooks[--id <userid/upn>] | List current user notebooks (default) or target user (--id) |
| List-ConditionalAccessPolicies | List conditional access policy objects |
| List-ConditionalAuthenticationContexts | List conditional access authentication context |
| List-ConditionalNamedLocations | List conditional access named locations |
| List-SharePointRoot | List root SharePoint site properties |
| List-SharePointSites | List any available SharePoint sites |
| List-SharePointURLs | List SharePoint site web URLs visible to current user |
| List-ExternalConnections | List external connections |
| List-Applications | List all Azure Applications |
| List-ServicePrincipals | List all service principals |
| List-Tenants | List tenants |
| List-JoinedTeams[--id <userid/upn>] | List joined teams for current user (default) or target user (--id) |
| List-Chats[--id <userid/upn>] | List chats for current user (default) or target user (--id) |
| List-Devices | List devices |
| List-AdministrativeUnits | List administrative units |
| List-OneDrives[--id <userid/upn>] | List current user OneDrive (default) or target user (--id) |
| List-RecentOneDriveFiles | List current users recent OneDrive files |
| List-SharedOneDriveFiles | List OneDrive files shared with the current user |
| List-OneDriveURLs | List OneDrive web URLs visible to current user |
| Command | Description |
|---|---|
| Invoke-CustomQuery --query <graph endpoint URL> | Custom GET query to target Graph API endpoint e.g. https://graph.microsoft.com/v1.0/me |
| Invoke-Search --search <string> --entity <entity> | Search for string within entity type (driveItem, message, chatMessage, site, event) |
| Find-PrivilegedRoleUsers | Find users with privileged roles assigned |
| Find-PrivilegedApplications | Find privileged apps (via their service principal) with granted admin consent API permissions |
| Find-UpdatableGroups | Find groups which can be updated by the current user |
| Find-DynamicGroups | Find groups with dynamic membership rules |
| Find-SecurityGroups | Find security groups and group members |
| Update-UserPassword --id <userid/upn> | Update the passwordProfile of the target user (NewUserS3cret@Pass!) |
| Update-UserProperties --id <userid/upn> | Update the user properties of the target user |
| Add-UserTAP --id <userid/upn> | Add new Temporary Access Password (TAP) to target user |
| Add-GroupMember --id <groupid,objectidtoadd> | Add member to target group |
| Add-ApplicationPassword --id <app object id> | Add client secret to target application |
| Add-ApplicationCertificate --id <app object id> | Add client certificate to target application |
| Add-ApplicationPermission --id <app id> | Add permission to target application e.g. Mail.Send and attempt to grant admin consent (app ID NOT app object ID for --id) |
| Grant-AppAdminConsent --id <app id> | Grant admin consent for Graph API permission already assigned to enterprise application |
| Create-Application | Create new enterprise application with default settings |
| Create-NewUser | Create new Entra ID user |
| Invite-GuestUser --tenant <tenantid> | Invite guest user to Entra ID |
| Assign-PrivilegedRole | Assign chosen privileged role to user/group/object |
| Open-OWAMailboxInBrowser --token <substrate/outlooktoken> | Open an OWA Office 365 mailbox in BurpSuite's embedded Chromium browser using either a Substrate.Office.com or Outlook.Office.com access token |
| Dump-OWAMailbox --mail-folder <allitems/inbox/archive/drafts/sentitems/deleteditems/recoverableitemsdeletions> [--id <userid>] | Dump OWA Office 365 mailbox (default: current user) |
| Spoof-OWAEmailMessage --email <emailbodyfile> [--id <useridtospoof>] | Send email from current user's Outlook mailbox or spoof another user (--id) |
| Command | Description |
|---|---|
| Get-ManagedDevices | Get managed devices |
| Get-UserDevices --id <userprincipalname> | Get user devices |
| Get-CAPs | Get conditional access policies |
| Get-DeviceCategories | Get device categories |
| Get-DeviceComplianceSummary | Get device compliance summary |
| Get-DeviceConfigurations | Get device configurations |
| Get-DeviceConfigurationPolicySettings --id <configpolicyid> | Get device configuration policy settings |
| Get-DeviceEnrollmentConfigurations | Get device enrollment configurations |
| Get-DeviceGroupPolicyConfigurations | Get device group policy configurations and assignment details |
| Get-DeviceGroupPolicyDefinition --id <grouppolicyid> | Get device group policy definition |
| Get-RoleDefinitions | Get role definitions |
| Get-RoleAssignments | Get role assignments |
| Get-DeviceCompliancePolicies | Get all device compliance policies (Android, iOS, macOS, Windows, Linux, etc.) |
| Get-DeviceConfigurationPolicies | Get device configuration policies and assignment details (AV, ASR, DiskEnc, etc.) |
Use Get-DeviceConfigurationPolicies to identify the policyids with active assignments for the Display-* commands below
| Command | Description |
|---|---|
| Dump-DeviceManagementScripts | Dump device management PowerShell scripts |
| Dump-WindowsApps[--id <id>] | Dump managed Windows OS applications (exe, msi, appx, msix, etc.) |
| Dump-iOSApps[--id <id>] | Dump managed iOS/iPadOS mobile applications |
| Dump-macOSApps[--id <id>] | Dump managed macOS applications |
| Dump-AndroidApps[--id <id>] | Dump managed Android mobile applications |
| Get-ScriptContent --id <scriptid> | Get device management script content |
| Backdoor-Script --id <scriptid> --script <backdoored.ps1> | Add malicious code to pre-existing device management script |
| Deploy-MaliciousWebLink | Deploy malicious Windows web link application |
| Deploy-MaliciousScript --script <script.ps1> | Deploy new malicious device management PowerShell script to all devices |
| Display-AVPolicyRules --id <configpolicyid> | Display antivirus policy rules |
| Display-ASRPolicyRules --id <configpolicyid> | Display Attack Surface Reduction (ASR) policy rules |
| Display-DiskEncryptionPolicyRules --id <configpolicyid> | Display disk encryption policy rules |
| Display-FirewallConfigPolicyRules --id <configpoliyid> | Display firewall configuration policy rules |
| Display-FirewallRulePolicyRules --id <configpolicyid> | Display firewall RULE policy rules (not firewall configuration policy) |
| Display-EDRPolicyRules --id <configpolicyid> | Display EDR policy rules |
| Display-LAPSAccountProtectionPolicyRules --id <configpolicyid> | Display LAPS account protection policy rules |
| Display-UserGroupAccountProtectionPolicyRules --id <configpolicyid> | Display user group account protection policy rules |
| Add-ExclusionGroupToPolicy --id <configpolicyid> | Bypass av, asr, etc. rules by adding an exclusion group containing compromised user or device |
| Reboot-Device --id <deviceid> | Reboot managed device |
| Lock-Device --id <deviceid> | Lock managed device |
| Shutdown-Device --id <deviceid> | Shutdown managed device |
| Update-DeviceConfig --id <deviceid> | Update properties of the managed device configuration |
| Command | Description |
|---|---|
| Delete-User --id <userid> | Delete a user |
| Delete-Group --id <groupid> | Delete a group |
| Remove-GroupMember --id <objectid> | Remove user from a group |
| Delete-Application --id <appid> | Delete an application |
| Delete-Device --id <deviceid> | Delete managed device |
| Wipe-Device --id <deviceid> | Wipe managed device |
| Retire-Device --id <deviceid> | Retire managed device |
| Command | Description |
|---|---|
| Locate-ObjectID --id <object id> | Locate object ID and display object properties |
| Locate-PermissionID --id <graph permission id/name> | Locate Graph permission details (application/delegated, description, admin consent required) for ID or permission name |
| Locate-DirectoryRole --id <directory role id/name> | Locate Entra directory role information for template ID or role name |