Exploitation Tools

GraphRunner : The Dual-Use Toolset For Microsoft 365 Security

GraphRunner is a powerful post-exploitation toolset designed for interacting with the Microsoft Graph API, enabling red teams and attackers to perform reconnaissance, persistence, and data exfiltration from Microsoft Entra ID (Azure AD) accounts.

Developed by Beau Bullock and Steve Borosh of Black Hills Information Security, GraphRunner provides a streamlined approach to exploiting vulnerabilities within Microsoft 365 environments.

Key Components

GraphRunner is composed of three primary components:

  • PowerShell Script: Houses the majority of modules for reconnaissance, persistence, and data extraction.
  • HTML GUI: A web-based interface that leverages access tokens to navigate and extract user account data.
  • PHP Redirector: Captures OAuth authorization codes during consent grant attacks.

GraphRunner offers a wide array of functionalities:

  • Data Exfiltration: Search and export emails, SharePoint files, OneDrive content, and Teams conversations.
  • Reconnaissance: Identify misconfigured mailboxes, dump conditional access policies, and analyze user attributes.
  • Privilege Escalation: Clone security groups, exploit modifiable group memberships, and deploy malicious apps.
  • OAuth Flow Exploitation: Tools to complete OAuth flows for consent grant attacks.
  • Tenant Mapping: Modules like Invoke-GraphRecon gather tenant information such as directory sync settings, app permissions, and user settings.
  • Cross-Platform Compatibility: Works seamlessly on Windows and Linux without relying on third-party libraries.

GraphRunner requires authenticated access tokens to operate. Users can start by importing the PowerShell script and running the Get-GraphTokens module to authenticate.

The tool also supports importing tokens from other tools for broader compatibility. Once authenticated, users can leverage modules like Invoke-DumpApps to identify potentially malicious applications or Get-DynamicGroups to analyze exploitable group memberships.

While GraphRunner is a valuable tool for red teams, it poses significant risks if misused by threat actors. Its ability to bypass security configurations, exfiltrate sensitive data, and escalate privileges makes it a critical focus for defenders.

Organizations should monitor Graph API activity closely and enforce strict conditional access policies to mitigate potential abuse.

GraphRunner exemplifies the dual-use nature of cybersecurity tools—offering both offensive capabilities for ethical hacking and defensive insights for securing Microsoft 365 environments.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Best OSINT Tools for Journalists 2026: Verify Sources, Images and Claims

Journalists use OSINT to verify public information before publishing. In 2026, misinformation, AI-generated images, fake…

4 hours ago

Install Docker on Ubuntu 20.04: Complete Step-by-Step Guide

Docker is an open-source platform that lets you package and run applications inside containers. Each container…

14 hours ago

Install PostgreSQL on Ubuntu: Database Setup and Admin Guide

PostgreSQL (often called Postgres) is an open-source relational database system. It supports advanced features like JSON…

15 hours ago

Install Xrdp Remote Desktop on Ubuntu: Setup and Connect

Xrdp is an open-source server that lets you connect to your Ubuntu machine from another computer…

15 hours ago

Tomcat 9 on Ubuntu 20.04: Install, Configure, and Start

Apache Tomcat is an open-source web server and Java servlet container. It is one of the…

15 hours ago

Automatic Updates on Ubuntu: Set Up unattended-upgrades

Keeping your Ubuntu system updated is one of the best ways to protect it. Security…

17 hours ago