Skip to content

GraphRunner.ps1

Jump to bottom
Beau Bullock edited this page Apr 7, 2026 · 39 revisions

GraphRunner.ps1

GraphRunner includes a PowerShell set of tools to assist with carrying out various attacks during post-exploitation of a Microsoft Entra ID (Azure AD) tenant. Most of the modules rely on having authenticated access tokens. To assist with this there are multiple modules for obtaining and working with both user and application (service principal) tokens.

To get started, import GraphRunner into a new PowerShell session.

Import-Module .\GraphRunner.ps1

Untitled

Authentication

  • Get-GraphTokens - Authenticate as a user to Microsoft Graph
  • Invoke-RefreshGraphTokens - Use a refresh token to obtain new access tokens
  • Get-AzureAppTokens - Complete OAuth flow as an app to obtain access tokens
  • Invoke-RefreshAzureAppTokens - Use a refresh token and app credentials to refresh a token
  • Invoke-AutoTokenRefresh - Refresh tokens at an interval

Recon & Enumeration Modules

  • Invoke-GraphRecon - Performs general recon for org info, user settings, directory sync settings, etc
  • Invoke-DumpCAPS - Gets conditional access policies with Graph/beta/legacy fallback and optional full JSON export
  • Invoke-DumpApps - Gets app registrations, grants, resolved permissions, and optional full JSON export
  • Get-AzureADUsers - Gets user directory
  • Get-DirectoryRoles - Gets activated directory roles and their members
  • Get-SecurityGroups - Gets all groups by default, or only security/M365 groups with switches
  • Get-UpdatableGroups - Gets groups that may be able to be modified by the current user
  • Get-DynamicGroups - Finds dynamic groups and displays membership rules
  • Get-SharePointSiteURLs - Gets a list of SharePoint site URLs visible to the current user
  • Invoke-GraphOpenInboxFinder - Checks each user’s inbox in a list to see if they are readable
  • Find-PermissiveCalendars - Finds calendars shared more permissively than free/busy visibility
  • Check-FrontDoorWAF - Audits Front Door WAF policies for RemoteAddr matching issues
  • Get-TenantID - Retrieves the tenant GUID from the domain name

Persistence Modules

  • Invoke-InjectOAuthApp - Injects an app registration into the tenant
  • Invoke-SecurityGroupCloner - Clones a security group while using an identical name and member list but can inject another user as well
  • Invoke-InviteGuest - Invites a guest user to the tenant
  • Invoke-AddGroupMember - Adds a member to a group
  • Invoke-CreateInboxForwardingRule - Creates an inbox forwarding rule that forwards matching emails to an email address

Pillage Modules

  • Invoke-SearchSharePointAndOneDrive - Search across all SharePoint sites and OneDrive drives visible to the user
  • Invoke-ImmersiveFileReader - Open restricted files with the immersive reader
  • Invoke-SearchMailbox - Has the ability to do deep searches across a user’s mailbox and can export messages
  • Invoke-SearchTeams - Can search all Teams messages in all channels that are readable by the current user
  • Invoke-SearchUserAttributes - Search for terms across all user attributes in a directory
  • Get-Inbox - Gets the latest inbox items from a mailbox and can be used to read other user mailboxes (shared)
  • Get-TeamsChat - Downloads full Teams chat conversations

Invoke-GraphRunner Module

  • Invoke-GraphRunner - Runs Invoke-GraphRecon, Get-AzureADUsers, Get-SecurityGroups, Invoke-DumpCAPS, Invoke-DumpApps, and then uses the default_detectors.json file to search with Invoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, and Invoke-SearchTeams.

Supplemental Modules

  • Invoke-AutoOAuthFlow - Automates the OAuth flow completion to obtain access and refresh keys when a user grants consent to an app registration
  • Invoke-DeleteOAuthApp - Delete an OAuth App
  • Invoke-DeleteGroup - Delete a group
  • Invoke-RemoveGroupMember - Module for removing users/members from groups
  • Get-EntraIDGroupInfo - Retrieves detailed information about Entra ID groups
  • Invoke-DriveFileDownload - Has the ability to download single files from SharePoint and OneDrive as the current user
  • Invoke-CheckAccess - Check if tokens are valid
  • Invoke-HTTPServer - A basic web server to use for accessing the emailviewer that is output from Invoke-SearchMailbox
  • Invoke-BruteClientIDAccess - Test different client_id's against MSGraph to determine permissions
  • Invoke-ImportTokens - Import tokens from other tools for use in GraphRunner
  • Get-UserObjectID - Retrieves an Object ID for a user
  • Invoke-CreateCalendarEvent - Creates a calendar event in the current user's mailbox

Clone this wiki locally