post-exploiting-microsoft-graph-with-graphrunner

Installation
SKILL.md

Post-Exploiting Microsoft Graph with GraphRunner

Authorized use only: GraphRunner performs offensive actions against live Microsoft 365 / Entra ID tenants — deploying OAuth apps, cloning groups, adding members, and reading mailboxes, SharePoint, and Teams. Run it only against tenants you own or are explicitly authorized in writing to test. Unauthorized use is illegal.

Overview

GraphRunner (Beau Bullock / Black Hills Information Security) is a PowerShell post-exploitation toolset built entirely on the Microsoft Graph API. Given a foothold token, it performs recon, establishes persistence, escalates privilege, and pillages M365 data — all through Graph, which blends in with normal traffic and bypasses many endpoint controls. It is the natural follow-on to credential/token theft (e.g., device-code phishing or ROADtools): once you hold Graph access, GraphRunner operationalizes it.

The toolset is a single PowerShell module (GraphRunner.ps1) exposing dozens of functions grouped by purpose:

  • AuthenticationGet-GraphTokens (device-code login), Invoke-RefreshGraphTokens, Invoke-AutoTokenRefresh, Invoke-ImportTokens, Invoke-RefreshToSharePointToken.
  • Recon & EnumerationInvoke-GraphRecon (tenant/user permission summary), Invoke-DumpCAPS (conditional-access policies), Invoke-DumpApps (app registrations / consent grants), Get-AzureADUsers, Get-SecurityGroups, Get-UpdatableGroups, Get-DynamicGroups, Invoke-SearchUserAttributes, Invoke-GraphOpenInboxFinder, Find-PermissiveCalendars.
  • PersistenceInvoke-InjectOAuthApp (deploy a malicious OAuth app for consent-grant persistence), Invoke-CreateInboxForwardingRule.
  • Privilege EscalationGet-UpdatableGroups, Invoke-AddGroupMember, Invoke-SecurityGroupCloner, Invoke-InviteGuest.
  • Pillage / Data SearchInvoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, Invoke-SearchTeams, Get-TeamsChat, Invoke-DriveFileDownload.
  • Master runnerInvoke-GraphRunner runs an automated recon-and-pillage pass; List-GraphRunnerModules prints all modules.

This maps to MITRE ATT&CK T1098 — Account Manipulation: GraphRunner manipulates accounts, groups, and OAuth grants (adding members, injecting apps, cloning groups, inviting guests) to maintain and escalate access in the cloud identity plane.

When to Use

Installs
10
GitHub Stars
24.7K
First Seen
12 days ago
post-exploiting-microsoft-graph-with-graphrunner — mukul975/anthropic-cybersecurity-skills