Sharp post-exploitation toolkit providing modular access to the Microsoft Graph API (graph.microsoft.com) for cloud and red team operations.

Created during the new Advanced Azure Cloud Attacks Lab. Inspired by GraphRunner and TokenTactics.

Index

  • Updates
  • Build
  • Usage
    • Flags
    • Methods
      • Auth Methods
      • Post-Auth Methods
  • Demo
    • Get-GraphTokens
    • Invoke-RefreshToAzureManagementToken
    • Invoke-RefreshToMSGraphToken
    • Invoke-RefreshToVaultToken
    • Invoke-CertToAccessToken
    • Get-TokenScope
    • New-SignedJWT
  • Observations
    • Common HTTP Error Codes

Build

Compiled executable in bin/Release is ready to go.

If loading and building for the first time select the ‘Restore’ button in VS (may need to add and use nuget.org as a package source then update any packages via References > Manage NuGet Packages... > Updates)

The following packages are required:

  • Newtonsoft.Json
  • Costura.Fody

Usage

SharpGraphView by @mlcsec

Usage:

    SharpGraphView.exe [Method] [-Domain <domain>] [-Tenant <tenant id>] [-Id <object id>] [-Select <display property>] [-Query <api endpoint>] [-Search <string> -Entity <entity>] [-Token <access token>] [-Cert <pfx cert>]

Flags:

    -Token                                   - Microsoft Graph access token or refresh token for FOCI abuse
    -Cert                                    - X509Certificate path
    -Domain                                  - Target domain
    -Tenant                                  - Target tenant ID
    -Id                                      - ID of target object
    -Key                                     - Azure Key Vault name (New-SignedJWT)
    -Select                                  - Filter output for comma seperated properties
    -Query                                   - Raw API query (GET request only)
    -Search                                  - Search string
    -Entity                                  - Search entity [driveItem (OneDrive), message (Mail), chatMessage (Teams), site (SharePoint), event (Calenders)]
    -help                                    - Show help

Auth:

    Get-GraphTokens                          - Obtain graph token via device code phish (saved to graph_tokens.txt)
    Get-TenantID                             - Get tenant ID for target domain
    Get-TokenScope                           - Get scope of supplied token
    Invoke-RefreshToMSGraphToken             - Convert refresh token to Micrsoft Graph token (saved to new_graph_tokens.txt)
    Invoke-RefreshToAzureManagementToken     - Convert refresh token to Azure Management token (saved to az_tokens.txt)
    Invoke-RefreshToVaultToken               - Convert refresh token to Azure Vault token (saved to vault_tokens.txt)
    Invoke-CertToAccessToken                 - Convert Azure Application certificate to JWT access token (saved to cert_tokens.txt)
    New-SignedJWT                            - Construct JWT and sign using Key Vault certificate (Azure Key Vault access token required) then generate Azure Management (ARM) token

Post-Auth:

    Get-CurrentUser                          - Get current user profile
    Get-CurrentUserActivity                  - Get recent actvity and actions of current user

    Get-OrgInfo                              - Get information relating to the target organisation
    Get-Domains                              - Get domain objects
    Get-User                                 - Get all users (default) or target user (-id)
    Get-UserProperties                       - Get current user properties (default) or target user (-id)
    Get-UserGroupMembership                  - Get group memberships for current user (default) or target user (-id)
    Get-UserTransitiveGroupMembership        - Get transitive group memberships for current user (default) or target user (-id)
    Get-Group                                - Get all groups (default) or target group (-id)
    Get-GroupMember                          - Get all members of target group
    Get-AppRoleAssignments                   - Get application role assignments for current user (default) or target user (-id)
    Get-ConditionalAccessPolicy              - Get conditional access policy properties
    Get-PersonalContacts                     - Get contacts of the current user
    Get-CrossTenantAccessPolicy              - Get cross tentant access policy properties
    Get-PartnerCrossTenantAccessPolicy       - Get partner cross tenant access policy
    Get-UserChatMessages                     - Get ALL messages from all chats for target user (Chat.Read.All)
    Get-AdministrativeUnitMember             - Get members of administrative unit
    Get-OneDriveFiles                        - Get all accessible OneDrive files for current user (default) or target user (-id)
    Get-UserPermissionGrants                 - Get permissions grants of current user (default) or target user (-id)
    Get-oauth2PermissionGrants               - Get oauth2 permission grants for current user (default) or target user (-id)
    Get-Messages                             - Get all messages in signed-in user's mailbox (default) or target user (-id)
    Get-TemporaryAccessPassword              - Get TAP details for current user (default) or target user (-id)
    Get-Password                             - Get passwords registered to current user (default) or target user (-id)

    List-AuthMethods                         - List authentication methods for current user (default) or target user (-id)
    List-DirectoryRoles                      - List all directory roles activated in the tenant
    List-Notebooks                           - List current user notebooks (default) or target user (-id)
    List-ConditionalAccessPolicies           - List conditional access policy objects
    List-ConditionalAuthenticationContexts   - List conditional access authentication context
    List-ConditionalNamedLocations           - List conditional access named locations
    List-SharePointRoot                      - List root SharePoint site properties
    List-SharePointSites                     - List any available SharePoint sites
    List-ExternalConnections                 - List external connections
    List-Applications                        - List all Azure Applications
    List-ServicePrincipals                   - List all service principals
    List-Tenants                             - List tenants
    List-JoinedTeams                         - List joined teams for current user (default) or target user (-id)
    List-Chats                               - List chats for current user (default) or target user (-id)
    List-ChatMessages                        - List messages in target chat (-id)
    List-Devices                             - List devices
    List-AdministrativeUnits                 - List administrative units
    List-OneDrives                           - List current user OneDrive (default) or target user (-id)
    List-RecentOneDriveFiles                 - List current user recent OneDrive files
    List-SharedOneDriveFiles                 - List OneDrive files shared with the current user

    Invoke-Search                            - Search for string within entity type (driveItem, message, chatMessage, site, event)
    Find-PrivilegedRoleUsers                 - Find users with privileged roles assigned
    Invoke-CustomQuery                       - Custom GET query to target Graph API endpoint
    Update-UserPassword                      - Update the passwordProfile of the target user (NewUserS3cret@Pass!)
    Add-ApplicationPassword                  - Add client secret to target application
    Add-UserTAP                              - Add new Temporary Access Password (TAP) to target user

Examples:

    SharpGraphView.exe Get-GraphTokens
    SharpGraphView.exe Invoke-RefreshToAzureManagementToken -tenant <tenant id> -token <refresh token>
    SharpGraphView.exe Get-User -id john.doe@vulncorp.onmicrosoft.com -token .\token.txt -select displayname,id
    SharpGraphView.exe Get-UserGroupMembership -token eyJ0eXAiOiJKV1QiLC...
    SharpGraphView.exe List-RecentOneDriveFiles -token .\token.txt
    SharpGraphView.exe Invoke-Search -search "password" -entity driveItem -token eyJ0eXAiOiJKV1QiLC...
    SharpGraphView.exe Invoke-CustomQuery -Query "https://graph.microsoft.com/v1.0/sites/{siteId}/drives" -token .\token.txt

For more information click here.

LEAVE A REPLY

Please enter your comment!
Please enter your name here