GraphRunner : The Dual-Use Toolset For Microsoft 365 Security

GraphRunner is a powerful post-exploitation toolset designed for interacting with the Microsoft Graph API, enabling red teams and attackers to perform reconnaissance, persistence, and data exfiltration from Microsoft Entra ID (Azure AD) accounts.

Developed by Beau Bullock and Steve Borosh of Black Hills Information Security, GraphRunner provides a streamlined approach to exploiting vulnerabilities within Microsoft 365 environments.

Key Components

GraphRunner is composed of three primary components:

• PowerShell Script: Houses the majority of modules for reconnaissance, persistence, and data extraction.
• HTML GUI: A web-based interface that leverages access tokens to navigate and extract user account data.
• PHP Redirector: Captures OAuth authorization codes during consent grant attacks.

GraphRunner offers a wide array of functionalities:

• Data Exfiltration: Search and export emails, SharePoint files, OneDrive content, and Teams conversations.
• Reconnaissance: Identify misconfigured mailboxes, dump conditional access policies, and analyze user attributes.
• Privilege Escalation: Clone security groups, exploit modifiable group memberships, and deploy malicious apps.
• OAuth Flow Exploitation: Tools to complete OAuth flows for consent grant attacks.
• Tenant Mapping: Modules like Invoke-GraphRecon gather tenant information such as directory sync settings, app permissions, and user settings.
• Cross-Platform Compatibility: Works seamlessly on Windows and Linux without relying on third-party libraries.

GraphRunner requires authenticated access tokens to operate. Users can start by importing the PowerShell script and running the Get-GraphTokens module to authenticate.

The tool also supports importing tokens from other tools for broader compatibility. Once authenticated, users can leverage modules like Invoke-DumpApps to identify potentially malicious applications or Get-DynamicGroups to analyze exploitable group memberships.

While GraphRunner is a valuable tool for red teams, it poses significant risks if misused by threat actors. Its ability to bypass security configurations, exfiltrate sensitive data, and escalate privileges makes it a critical focus for defenders.

Organizations should monitor Graph API activity closely and enforce strict conditional access policies to mitigate potential abuse.

GraphRunner exemplifies the dual-use nature of cybersecurity tools—offering both offensive capabilities for ethical hacking and defensive insights for securing Microsoft 365 environments.