Exploitation Tools

GraphRunner : The Dual-Use Toolset For Microsoft 365 Security

GraphRunner is a powerful post-exploitation toolset designed for interacting with the Microsoft Graph API, enabling red teams and attackers to perform reconnaissance, persistence, and data exfiltration from Microsoft Entra ID (Azure AD) accounts.

Developed by Beau Bullock and Steve Borosh of Black Hills Information Security, GraphRunner provides a streamlined approach to exploiting vulnerabilities within Microsoft 365 environments.

Key Components

GraphRunner is composed of three primary components:

  • PowerShell Script: Houses the majority of modules for reconnaissance, persistence, and data extraction.
  • HTML GUI: A web-based interface that leverages access tokens to navigate and extract user account data.
  • PHP Redirector: Captures OAuth authorization codes during consent grant attacks.

GraphRunner offers a wide array of functionalities:

  • Data Exfiltration: Search and export emails, SharePoint files, OneDrive content, and Teams conversations.
  • Reconnaissance: Identify misconfigured mailboxes, dump conditional access policies, and analyze user attributes.
  • Privilege Escalation: Clone security groups, exploit modifiable group memberships, and deploy malicious apps.
  • OAuth Flow Exploitation: Tools to complete OAuth flows for consent grant attacks.
  • Tenant Mapping: Modules like Invoke-GraphRecon gather tenant information such as directory sync settings, app permissions, and user settings.
  • Cross-Platform Compatibility: Works seamlessly on Windows and Linux without relying on third-party libraries.

GraphRunner requires authenticated access tokens to operate. Users can start by importing the PowerShell script and running the Get-GraphTokens module to authenticate.

The tool also supports importing tokens from other tools for broader compatibility. Once authenticated, users can leverage modules like Invoke-DumpApps to identify potentially malicious applications or Get-DynamicGroups to analyze exploitable group memberships.

While GraphRunner is a valuable tool for red teams, it poses significant risks if misused by threat actors. Its ability to bypass security configurations, exfiltrate sensitive data, and escalate privileges makes it a critical focus for defenders.

Organizations should monitor Graph API activity closely and enforce strict conditional access policies to mitigate potential abuse.

GraphRunner exemplifies the dual-use nature of cybersecurity tools—offering both offensive capabilities for ethical hacking and defensive insights for securing Microsoft 365 environments.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

21 hours ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

2 days ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

2 days ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

2 days ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

2 days ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

2 days ago