Sharp post-exploitation toolkit providing modular access to the Microsoft Graph API (graph.microsoft.com) for cloud and red team operations.
Created during the new Advanced Azure Cloud Attacks Lab. Inspired by GraphRunner and TokenTactics.
Index
- Updates
- Build
- Usage
- Flags
- Methods
- Auth Methods
- Post-Auth Methods
- Demo
- Get-GraphTokens
- Invoke-RefreshToAzureManagementToken
- Invoke-RefreshToMSGraphToken
- Invoke-RefreshToVaultToken
- Invoke-CertToAccessToken
- Get-TokenScope
- New-SignedJWT
- Observations
- Common HTTP Error Codes
Build
Compiled executable in bin/Release
is ready to go.
If loading and building for the first time select the ‘Restore’ button in VS (may need to add and use nuget.org as a package source then update any packages via References
> Manage NuGet Packages...
> Updates
)
The following packages are required:
- Newtonsoft.Json
- Costura.Fody
Usage
SharpGraphView by @mlcsec
Usage:
SharpGraphView.exe [Method] [-Domain <domain>] [-Tenant <tenant id>] [-Id <object id>] [-Select <display property>] [-Query <api endpoint>] [-Search <string> -Entity <entity>] [-Token <access token>] [-Cert <pfx cert>]
Flags:
-Token - Microsoft Graph access token or refresh token for FOCI abuse
-Cert - X509Certificate path
-Domain - Target domain
-Tenant - Target tenant ID
-Id - ID of target object
-Key - Azure Key Vault name (New-SignedJWT)
-Select - Filter output for comma seperated properties
-Query - Raw API query (GET request only)
-Search - Search string
-Entity - Search entity [driveItem (OneDrive), message (Mail), chatMessage (Teams), site (SharePoint), event (Calenders)]
-help - Show help
Auth:
Get-GraphTokens - Obtain graph token via device code phish (saved to graph_tokens.txt)
Get-TenantID - Get tenant ID for target domain
Get-TokenScope - Get scope of supplied token
Invoke-RefreshToMSGraphToken - Convert refresh token to Micrsoft Graph token (saved to new_graph_tokens.txt)
Invoke-RefreshToAzureManagementToken - Convert refresh token to Azure Management token (saved to az_tokens.txt)
Invoke-RefreshToVaultToken - Convert refresh token to Azure Vault token (saved to vault_tokens.txt)
Invoke-CertToAccessToken - Convert Azure Application certificate to JWT access token (saved to cert_tokens.txt)
New-SignedJWT - Construct JWT and sign using Key Vault certificate (Azure Key Vault access token required) then generate Azure Management (ARM) token
Post-Auth:
Get-CurrentUser - Get current user profile
Get-CurrentUserActivity - Get recent actvity and actions of current user
Get-OrgInfo - Get information relating to the target organisation
Get-Domains - Get domain objects
Get-User - Get all users (default) or target user (-id)
Get-UserProperties - Get current user properties (default) or target user (-id)
Get-UserGroupMembership - Get group memberships for current user (default) or target user (-id)
Get-UserTransitiveGroupMembership - Get transitive group memberships for current user (default) or target user (-id)
Get-Group - Get all groups (default) or target group (-id)
Get-GroupMember - Get all members of target group
Get-AppRoleAssignments - Get application role assignments for current user (default) or target user (-id)
Get-ConditionalAccessPolicy - Get conditional access policy properties
Get-PersonalContacts - Get contacts of the current user
Get-CrossTenantAccessPolicy - Get cross tentant access policy properties
Get-PartnerCrossTenantAccessPolicy - Get partner cross tenant access policy
Get-UserChatMessages - Get ALL messages from all chats for target user (Chat.Read.All)
Get-AdministrativeUnitMember - Get members of administrative unit
Get-OneDriveFiles - Get all accessible OneDrive files for current user (default) or target user (-id)
Get-UserPermissionGrants - Get permissions grants of current user (default) or target user (-id)
Get-oauth2PermissionGrants - Get oauth2 permission grants for current user (default) or target user (-id)
Get-Messages - Get all messages in signed-in user's mailbox (default) or target user (-id)
Get-TemporaryAccessPassword - Get TAP details for current user (default) or target user (-id)
Get-Password - Get passwords registered to current user (default) or target user (-id)
List-AuthMethods - List authentication methods for current user (default) or target user (-id)
List-DirectoryRoles - List all directory roles activated in the tenant
List-Notebooks - List current user notebooks (default) or target user (-id)
List-ConditionalAccessPolicies - List conditional access policy objects
List-ConditionalAuthenticationContexts - List conditional access authentication context
List-ConditionalNamedLocations - List conditional access named locations
List-SharePointRoot - List root SharePoint site properties
List-SharePointSites - List any available SharePoint sites
List-ExternalConnections - List external connections
List-Applications - List all Azure Applications
List-ServicePrincipals - List all service principals
List-Tenants - List tenants
List-JoinedTeams - List joined teams for current user (default) or target user (-id)
List-Chats - List chats for current user (default) or target user (-id)
List-ChatMessages - List messages in target chat (-id)
List-Devices - List devices
List-AdministrativeUnits - List administrative units
List-OneDrives - List current user OneDrive (default) or target user (-id)
List-RecentOneDriveFiles - List current user recent OneDrive files
List-SharedOneDriveFiles - List OneDrive files shared with the current user
Invoke-Search - Search for string within entity type (driveItem, message, chatMessage, site, event)
Find-PrivilegedRoleUsers - Find users with privileged roles assigned
Invoke-CustomQuery - Custom GET query to target Graph API endpoint
Update-UserPassword - Update the passwordProfile of the target user (NewUserS3cret@Pass!)
Add-ApplicationPassword - Add client secret to target application
Add-UserTAP - Add new Temporary Access Password (TAP) to target user
Examples:
SharpGraphView.exe Get-GraphTokens
SharpGraphView.exe Invoke-RefreshToAzureManagementToken -tenant <tenant id> -token <refresh token>
SharpGraphView.exe Get-User -id john.doe@vulncorp.onmicrosoft.com -token .\token.txt -select displayname,id
SharpGraphView.exe Get-UserGroupMembership -token eyJ0eXAiOiJKV1QiLC...
SharpGraphView.exe List-RecentOneDriveFiles -token .\token.txt
SharpGraphView.exe Invoke-Search -search "password" -entity driveItem -token eyJ0eXAiOiJKV1QiLC...
SharpGraphView.exe Invoke-CustomQuery -Query "https://graph.microsoft.com/v1.0/sites/{siteId}/drives" -token .\token.txt
For more information click here.