diff --git a/.github/addapplicationcertificate-gen.png b/.github/addapplicationcertificate-gen.png new file mode 100644 index 0000000..766e376 Binary files /dev/null and b/.github/addapplicationcertificate-gen.png differ diff --git a/.github/addapplicationcertificate-portal.png b/.github/addapplicationcertificate-portal.png index ae11d6b..ff38963 100644 Binary files a/.github/addapplicationcertificate-portal.png and b/.github/addapplicationcertificate-portal.png differ diff --git a/.github/addapplicationcertificate.png b/.github/addapplicationcertificate.png index e03cac8..a63d043 100644 Binary files a/.github/addapplicationcertificate.png and b/.github/addapplicationcertificate.png differ diff --git a/.github/addapplicationpermission.png b/.github/addapplicationpermission.png index 9828d68..0f080cf 100644 Binary files a/.github/addapplicationpermission.png and b/.github/addapplicationpermission.png differ diff --git a/.github/addexclusiongroup1.png b/.github/addexclusiongroup1.png index fde7664..2bda517 100644 Binary files a/.github/addexclusiongroup1.png and b/.github/addexclusiongroup1.png differ diff --git a/.github/addexclusiongroup2.png b/.github/addexclusiongroup2.png index c24db4c..3eb85f4 100644 Binary files a/.github/addexclusiongroup2.png and b/.github/addexclusiongroup2.png differ diff --git a/.github/addexclusiongroup3.png b/.github/addexclusiongroup3.png index 71a7bf6..620e39f 100644 Binary files a/.github/addexclusiongroup3.png and b/.github/addexclusiongroup3.png differ diff --git a/.github/addexclusiongroup4.png b/.github/addexclusiongroup4.png index 45c55ed..3143553 100644 Binary files a/.github/addexclusiongroup4.png and b/.github/addexclusiongroup4.png differ diff --git a/.github/assignprivilegedrole.png b/.github/assignprivilegedrole.png index 76fb7d0..f76d05f 100644 Binary files a/.github/assignprivilegedrole.png and b/.github/assignprivilegedrole.png differ diff --git a/.github/backdoorscript.png b/.github/backdoorscript.png index ac1ce65..2a9f28d 100644 Binary files a/.github/backdoorscript.png and b/.github/backdoorscript.png differ diff --git a/.github/certtoaccesstoken.png b/.github/certtoaccesstoken.png index 5c058b5..1f65d4b 100644 Binary files a/.github/certtoaccesstoken.png and b/.github/certtoaccesstoken.png differ diff --git a/.github/deploymaliciousscript-intuneportal.png b/.github/deploymaliciousscript-intuneportal.png index 6af03ed..1298d7f 100644 Binary files a/.github/deploymaliciousscript-intuneportal.png and b/.github/deploymaliciousscript-intuneportal.png differ diff --git a/.github/deploymaliciousscript.png b/.github/deploymaliciousscript.png index 12795a1..10ec67e 100644 Binary files a/.github/deploymaliciousscript.png and b/.github/deploymaliciousscript.png differ diff --git a/.github/deploymaliciousweblink-ime.png b/.github/deploymaliciousweblink-ime.png new file mode 100644 index 0000000..eb90451 Binary files /dev/null and b/.github/deploymaliciousweblink-ime.png differ diff --git a/.github/deploymaliciousweblink-portal.png b/.github/deploymaliciousweblink-portal.png new file mode 100644 index 0000000..714df52 Binary files /dev/null and b/.github/deploymaliciousweblink-portal.png differ diff --git a/.github/deploymaliciousweblink.png b/.github/deploymaliciousweblink.png deleted file mode 100644 index 6ff406f..0000000 Binary files a/.github/deploymaliciousweblink.png and /dev/null differ diff --git a/.github/deploymaliciousweblink2.png b/.github/deploymaliciousweblink2.png index b8287da..3930ff3 100644 Binary files a/.github/deploymaliciousweblink2.png and b/.github/deploymaliciousweblink2.png differ diff --git a/.github/deploymaliciousweblink3.png b/.github/deploymaliciousweblink3.png new file mode 100644 index 0000000..fade3f2 Binary files /dev/null and b/.github/deploymaliciousweblink3.png differ diff --git a/.github/displayavpolicyrules.png b/.github/displayavpolicyrules.png index c69a7c9..bd9086d 100644 Binary files a/.github/displayavpolicyrules.png and b/.github/displayavpolicyrules.png differ diff --git a/.github/dump-devicemanabenentscritps.png b/.github/dump-devicemanabenentscritps.png index cb36ee6..5d3ec77 100644 Binary files a/.github/dump-devicemanabenentscritps.png and b/.github/dump-devicemanabenentscritps.png differ diff --git a/.github/dumpwindowsapps.png b/.github/dumpwindowsapps.png new file mode 100644 index 0000000..40ce1e7 Binary files /dev/null and b/.github/dumpwindowsapps.png differ diff --git a/.github/estsauthcookie.png b/.github/estsauthcookie.png index 2e4e7f1..e032a18 100644 Binary files a/.github/estsauthcookie.png and b/.github/estsauthcookie.png differ diff --git a/.github/finddynamicgroups.png b/.github/finddynamicgroups.png index 638311c..08dec1c 100644 Binary files a/.github/finddynamicgroups.png and b/.github/finddynamicgroups.png differ diff --git a/.github/findprivilegedapps.png b/.github/findprivilegedapps.png index 97f59c7..a04648b 100644 Binary files a/.github/findprivilegedapps.png and b/.github/findprivilegedapps.png differ diff --git a/.github/findprivilegedroleusers.png b/.github/findprivilegedroleusers.png index 6d26237..f3c8f87 100644 Binary files a/.github/findprivilegedroleusers.png and b/.github/findprivilegedroleusers.png differ diff --git a/.github/findupdatablegroups.png b/.github/findupdatablegroups.png index 83dce0e..776b538 100644 Binary files a/.github/findupdatablegroups.png and b/.github/findupdatablegroups.png differ diff --git a/.github/getapplication-perms.png b/.github/getapplication-perms.png deleted file mode 100644 index d47f77e..0000000 Binary files a/.github/getapplication-perms.png and /dev/null differ diff --git a/.github/getapplication-updated.png b/.github/getapplication-updated.png deleted file mode 100644 index 68da737..0000000 Binary files a/.github/getapplication-updated.png and /dev/null differ diff --git a/.github/getapplication-verified.png b/.github/getapplication-verified.png new file mode 100644 index 0000000..410400a Binary files /dev/null and b/.github/getapplication-verified.png differ diff --git a/.github/getapplication.png b/.github/getapplication.png index 441e9e4..8b739f7 100644 Binary files a/.github/getapplication.png and b/.github/getapplication.png differ diff --git a/.github/getcurrentuser.png b/.github/getcurrentuser.png new file mode 100644 index 0000000..85d4438 Binary files /dev/null and b/.github/getcurrentuser.png differ diff --git a/.github/getdevicecompliancepolicies.png b/.github/getdevicecompliancepolicies.png new file mode 100644 index 0000000..6079dbf Binary files /dev/null and b/.github/getdevicecompliancepolicies.png differ diff --git a/.github/getdeviceconfigurationpolicies.png b/.github/getdeviceconfigurationpolicies.png index 4a4fa21..e7bbbc6 100644 Binary files a/.github/getdeviceconfigurationpolicies.png and b/.github/getdeviceconfigurationpolicies.png differ diff --git a/.github/getdomains.png b/.github/getdomains.png new file mode 100644 index 0000000..801145f Binary files /dev/null and b/.github/getdomains.png differ diff --git a/.github/getgraphtokens.png b/.github/getgraphtokens.png index e9ad4b5..a50fdd3 100644 Binary files a/.github/getgraphtokens.png and b/.github/getgraphtokens.png differ diff --git a/.github/getgroup.png b/.github/getgroup.png new file mode 100644 index 0000000..24f4a55 Binary files /dev/null and b/.github/getgroup.png differ diff --git a/.github/getgroupmember-dynamic.png b/.github/getgroupmember-dynamic.png new file mode 100644 index 0000000..b679c2a Binary files /dev/null and b/.github/getgroupmember-dynamic.png differ diff --git a/.github/getgroupmember.png b/.github/getgroupmember.png index 4d5169c..87742cf 100644 Binary files a/.github/getgroupmember.png and b/.github/getgroupmember.png differ diff --git a/.github/getgroupmember2.png b/.github/getgroupmember2.png new file mode 100644 index 0000000..75eb0d7 Binary files /dev/null and b/.github/getgroupmember2.png differ diff --git a/.github/getgroupmemberafter.png b/.github/getgroupmemberafter.png index 39d743e..870ea34 100644 Binary files a/.github/getgroupmemberafter.png and b/.github/getgroupmemberafter.png differ diff --git a/.github/getmanageddevices.png b/.github/getmanageddevices.png index 111467a..1649fed 100644 Binary files a/.github/getmanageddevices.png and b/.github/getmanageddevices.png differ diff --git a/.github/getpermissionid.png b/.github/getpermissionid.png deleted file mode 100644 index 9087a2a..0000000 Binary files a/.github/getpermissionid.png and /dev/null differ diff --git a/.github/getscriptcontent-new.png b/.github/getscriptcontent-new.png index 739dfa5..35c4177 100644 Binary files a/.github/getscriptcontent-new.png and b/.github/getscriptcontent-new.png differ diff --git a/.github/getscriptcontent.png b/.github/getscriptcontent.png index 7e9f75d..1486c8e 100644 Binary files a/.github/getscriptcontent.png and b/.github/getscriptcontent.png differ diff --git a/.github/getserviceprincipalapproleassignments.png b/.github/getserviceprincipalapproleassignments.png deleted file mode 100644 index bc7a9db..0000000 Binary files a/.github/getserviceprincipalapproleassignments.png and /dev/null differ diff --git a/.github/gettenantid.png b/.github/gettenantid.png new file mode 100644 index 0000000..c83d236 Binary files /dev/null and b/.github/gettenantid.png differ diff --git a/.github/gettokenscope.png b/.github/gettokenscope.png new file mode 100644 index 0000000..932bfe1 Binary files /dev/null and b/.github/gettokenscope.png differ diff --git a/.github/getuser-all.png b/.github/getuser-all.png new file mode 100644 index 0000000..787c3b1 Binary files /dev/null and b/.github/getuser-all.png differ diff --git a/.github/getuser.png b/.github/getuser.png index d98515a..0aa1561 100644 Binary files a/.github/getuser.png and b/.github/getuser.png differ diff --git a/.github/getuserdevices.png b/.github/getuserdevices.png index f47eb7c..024329c 100644 Binary files a/.github/getuserdevices.png and b/.github/getuserdevices.png differ diff --git a/.github/getuserprivileges.png b/.github/getuserprivileges.png index 601316a..6f007b3 100644 Binary files a/.github/getuserprivileges.png and b/.github/getuserprivileges.png differ diff --git a/.github/getuserproperties.png b/.github/getuserproperties.png new file mode 100644 index 0000000..888138f Binary files /dev/null and b/.github/getuserproperties.png differ diff --git a/.github/grantappadminconsent.png b/.github/grantappadminconsent.png index 794097a..7488831 100644 Binary files a/.github/grantappadminconsent.png and b/.github/grantappadminconsent.png differ diff --git a/.github/inviteguestuser.png b/.github/inviteguestuser.png index 88253eb..62609dd 100644 Binary files a/.github/inviteguestuser.png and b/.github/inviteguestuser.png differ diff --git a/.github/invokesearch.png b/.github/invokesearch.png new file mode 100644 index 0000000..b67c85f Binary files /dev/null and b/.github/invokesearch.png differ diff --git a/.github/invokeuserenum.png b/.github/invokeuserenum.png index aba9c7b..93bf5f0 100644 Binary files a/.github/invokeuserenum.png and b/.github/invokeuserenum.png differ diff --git a/.github/listrecentonedrivefiles.png b/.github/listrecentonedrivefiles.png index 39c7922..7a7c44e 100644 Binary files a/.github/listrecentonedrivefiles.png and b/.github/listrecentonedrivefiles.png differ diff --git a/.github/listsharepointroot.png b/.github/listsharepointroot.png deleted file mode 100644 index 863a51c..0000000 Binary files a/.github/listsharepointroot.png and /dev/null differ diff --git a/.github/locatedirectoryrole.png b/.github/locatedirectoryrole.png new file mode 100644 index 0000000..48acc67 Binary files /dev/null and b/.github/locatedirectoryrole.png differ diff --git a/.github/locateobjectid.png b/.github/locateobjectid.png deleted file mode 100644 index f087beb..0000000 Binary files a/.github/locateobjectid.png and /dev/null differ diff --git a/.github/locateobjectid2.png b/.github/locateobjectid2.png new file mode 100644 index 0000000..3ebf2d7 Binary files /dev/null and b/.github/locateobjectid2.png differ diff --git a/.github/locatepermissionid.png b/.github/locatepermissionid.png index 138b861..4eee59c 100644 Binary files a/.github/locatepermissionid.png and b/.github/locatepermissionid.png differ diff --git a/.github/locatepermissionid2.png b/.github/locatepermissionid2.png new file mode 100644 index 0000000..93249e0 Binary files /dev/null and b/.github/locatepermissionid2.png differ diff --git a/.github/reconasoutsider.png b/.github/reconasoutsider.png new file mode 100644 index 0000000..68c6c62 Binary files /dev/null and b/.github/reconasoutsider.png differ diff --git a/.github/refreshtoazuremanagement.png b/.github/refreshtoazuremanagement.png index db14925..c7d0f3e 100644 Binary files a/.github/refreshtoazuremanagement.png and b/.github/refreshtoazuremanagement.png differ diff --git a/.github/refreshtomsgraph.png b/.github/refreshtomsgraph.png new file mode 100644 index 0000000..84ac68c Binary files /dev/null and b/.github/refreshtomsgraph.png differ diff --git a/.github/removegroupmember.png b/.github/removegroupmember.png index ca7377a..93950dd 100644 Binary files a/.github/removegroupmember.png and b/.github/removegroupmember.png differ diff --git a/.github/spoofowaemailcommand.png b/.github/spoofowaemailcommand.png index 46fb4b5..f048a6a 100644 Binary files a/.github/spoofowaemailcommand.png and b/.github/spoofowaemailcommand.png differ diff --git a/.github/updateuserproperties.png b/.github/updateuserproperties.png new file mode 100644 index 0000000..ef8e9d6 Binary files /dev/null and b/.github/updateuserproperties.png differ diff --git a/.github/usage.png b/.github/usage.png index ea7a5f9..f8ee0e1 100644 Binary files a/.github/usage.png and b/.github/usage.png differ diff --git a/.github/webapplink-desktop.png b/.github/webapplink-desktop.png new file mode 100644 index 0000000..29024f0 Binary files /dev/null and b/.github/webapplink-desktop.png differ diff --git a/.github/webapplink-dir.png b/.github/webapplink-dir.png new file mode 100644 index 0000000..7cdb7c2 Binary files /dev/null and b/.github/webapplink-dir.png differ diff --git a/.github/webapplink-salesportal.png b/.github/webapplink-salesportal.png new file mode 100644 index 0000000..d9a1115 Binary files /dev/null and b/.github/webapplink-salesportal.png differ diff --git a/.github/webapplink-start.png b/.github/webapplink-start.png new file mode 100644 index 0000000..7371722 Binary files /dev/null and b/.github/webapplink-start.png differ diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4e7a394 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +build/ +dist/ +*.egg-info/ +__pycache__/ diff --git a/graphpython.py b/Graphpython.py similarity index 51% rename from graphpython.py rename to Graphpython.py index 4586ff0..81913b7 100644 --- a/graphpython.py +++ b/Graphpython.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -from graphpython.__main__ import main +from Graphpython.__main__ import main if __name__ == '__main__': - main() \ No newline at end of file + main() diff --git a/Graphpython/MANIFEST.in b/Graphpython/MANIFEST.in new file mode 100644 index 0000000..318dde9 --- /dev/null +++ b/Graphpython/MANIFEST.in @@ -0,0 +1,4 @@ +include Graphpython/commands/graphpermissions.txt +include Graphpython/commands/directoryroles.txt +include requirements.txt +include README.md diff --git a/graphpython/__init__.py b/Graphpython/__init__.py similarity index 100% rename from graphpython/__init__.py rename to Graphpython/__init__.py diff --git a/graphpython/__main__.py b/Graphpython/__main__.py similarity index 59% rename from graphpython/__main__.py rename to Graphpython/__main__.py index 3d2c1af..afdf862 100644 --- a/graphpython/__main__.py +++ b/Graphpython/__main__.py @@ -3,8 +3,8 @@ import sys import argparse import textwrap -from graphpython.commands import outsider, auth, enum, exploit, intune_enum, intune_exploit, cleanup, locators -from graphpython.utils.helpers import list_commands, print_red +from Graphpython.commands import outsider, auth, enum, exploit, intune_enum, intune_exploit, cleanup, locators +from Graphpython.utils.helpers import list_commands, print_red def parseArgs(): @@ -14,36 +14,36 @@ def parseArgs(): formatter_class=argparse.RawDescriptionHelpFormatter, epilog=textwrap.dedent('''\ examples: - graphpython --command invoke-reconasoutsider --domain company.com - graphpython --command invoke-userenumerationasoutsider --username - graphpython --command get-graphtokens - graphpython --command invoke-refreshtoazuremanagementtoken --tenant --token refresh-token - graphpython --command get-users --token eyJ0... -- select displayname,id [--id ] - graphpython --command list-recentonedrivefiles --token token - graphpython --command invoke-search --search "credentials" --entity driveItem --token token - graphpython --command invoke-customquery --query https://graph.microsoft.com/v1.0/sites/{siteId}/drives --token token - graphpython --command assign-privilegedrole --token token - graphpython --command spoof-owaemailmessage [--id ] --token token --email email-body.txt - graphpython --command get-manageddevices --token intune-token - graphpython --command deploy-maliciousscript --script malicious.ps1 --token token - graphpython --command backdoor-script --id --script backdoored-script.ps1 --token token - graphpython --command add-exclusiongrouptopolicy --id --token token - graphpython --command reboot-device --id --token eyj0... + Graphpython --command invoke-reconasoutsider --domain company.com + Graphpython --command invoke-userenumerationasoutsider --username + Graphpython --command get-graphtokens + Graphpython --command invoke-refreshtoazuremanagementtoken --tenant --token refresh-token + Graphpython --command get-users --token eyJ0... -- select displayname,id [--id ] + Graphpython --command list-recentonedrivefiles --token token + Graphpython --command invoke-search --search "credentials" --entity driveItem --token token + Graphpython --command invoke-customquery --query https://graph.microsoft.com/v1.0/sites/{siteId}/drives --token token + Graphpython --command assign-privilegedrole --token token + Graphpython --command spoof-owaemailmessage [--id ] --token token --email email-body.txt + Graphpython --command get-manageddevices --token intune-token + Graphpython --command deploy-maliciousscript --script malicious.ps1 --token token + Graphpython --command backdoor-script --id --script backdoored-script.ps1 --token token + Graphpython --command add-exclusiongrouptopolicy --id --token token + Graphpython --command reboot-device --id --token eyj0... ''') ) parser.add_argument("--command", help="Command to execute") parser.add_argument("--list-commands", action="store_true", help="List available commands") parser.add_argument("--token", help="Microsoft Graph access token or refresh token for FOCI abuse") - parser.add_argument("--estsauthcookie", help="'ESTSAuth' or 'ESTSAuthPersistent' cookie value") - parser.add_argument("--use-cae", action="store_true", help="Flag to use Continuous Access Evaluation (CAE) - add 'cp1' as client claim to get an access token valid for 24 hours") - parser.add_argument("--cert", help="X509Certificate path (.pfx)") + parser.add_argument("--estsauthcookie", help="'ESTSAuth' or 'ESTSAuthPersistent' cookie") + parser.add_argument("--use-cae", action="store_true", help="Flag to use Continuous Access Evaluation (CAE)") + parser.add_argument("--cert", help="X509Certificate path (.pfx, .crt, .pem, .cer)") parser.add_argument("--domain", help="Target domain") parser.add_argument("--tenant", help="Target tenant ID") - parser.add_argument("--username", help="Username or file containing username (invoke-userenumerationasoutsider)") + parser.add_argument("--username", help="Username or file containing usernames (invoke-userenumerationasoutsider)") parser.add_argument("--secret", help="Enterprise application secretText (invoke-appsecrettoaccesstoken)") parser.add_argument("--id", help="ID of target object") parser.add_argument("--select", help="Fields to select from output") - parser.add_argument("--query", help="Raw API query (GET only)") + parser.add_argument("--query", help="Raw API query URL (GET only)") parser.add_argument("--search", help="Search string") parser.add_argument("--entity", choices=['driveItem', 'message', 'chatMessage', 'site', 'event'],help="Search entity type: driveItem(OneDrive), message(Mail), chatMessage(Teams), site(SharePoint), event(Calenders)") parser.add_argument("--device", choices=['Mac', 'Windows', 'AndroidMobile', 'iPhone'], help="Device type for User-Agent forging") @@ -51,7 +51,7 @@ def parseArgs(): parser.add_argument("--only-return-cookies", action="store_true", help="Only return cookies from the request (open-owamailboxinbrowser)") parser.add_argument("--mail-folder", choices=['Allitems', 'inbox', 'archive', 'drafts', 'sentitems', 'deleteditems', 'recoverableitemsdeletions'], help="Mail folder to dump (dump-owamailbox)") parser.add_argument("--top", type=int, help="Number (int) of messages to retrieve (dump-owamailbox)") - parser.add_argument("--script", help="File containing the script content (deploy-maliciousscript and backdoor-script)") + parser.add_argument("--script", help="File containing the script content (deploy-maliciousscript or backdoor-script)") parser.add_argument("--email", help="File containing OWA email message body content (spoof-owaemailmessage)") args = parser.parse_args() @@ -78,7 +78,7 @@ def main(): "list-sharedonedrivefiles", "invoke-customquery", "invoke-search", "find-privilegedroleusers", "find-updatablegroups", "find-dynamicgroups","find-securitygroups", "locate-objectid", "update-userpassword", "add-applicationpassword", "add-usertap", "add-groupmember", "create-application", "create-newuser", "invite-guestuser", "assign-privilegedrole", "open-owamailboxinbrowser", "dump-owamailbox", "spoof-owaemailmessage", - "delete-user", "delete-group", "remove-groupmember", "delete-application", "delete-device", "wipe-device", "retire-device", + "delete-user", "delete-group", "remove-groupmember", "delete-application", "delete-device", "wipe-device", "retire-device", "locate-directoryrole", "get-manageddevices", "get-userdevices", "get-caps", "get-devicecategories", "get-devicecompliancepolicies", "update-deviceconfig", "get-devicecompliancesummary", "get-deviceconfigurations", "get-deviceconfigurationpolicies", "get-deviceconfigurationpolicysettings", "get-deviceenrollmentconfigurations", "get-devicegrouppolicyconfigurations","update-userproperties", "dump-windowsapps", "dump-iosapps", "dump-androidapps", @@ -132,85 +132,92 @@ def main(): print_red(f"[-] Error: --token is required for command") return - # Outsider commands - elif args.command in ["invoke-reconasoutsider", "invoke-userenumerationasoutsider"]: - getattr(outsider, args.command.replace("-", "_"))(args) - - # Authentication commands - if args.command in ["get-graphtokens", "get-tenantid", "get-tokenscope", "decode-accesstoken", - "invoke-refreshtomsgraphtoken", "invoke-refreshtoazuremanagementtoken", - "invoke-refreshtovaulttoken", "invoke-refreshtomsteamstoken", - "invoke-refreshtoofficeappstoken", "invoke-refreshtoofficemanagementtoken", - "invoke-refreshtooutlooktoken", "invoke-refreshtosubstratetoken", - "invoke-refreshtoyammertoken", "invoke-refreshtointuneenrollmenttoken", - "invoke-refreshtoonedrivetoken", "invoke-refreshtosharepointtoken", - "invoke-certtoaccesstoken", "invoke-estscookietoaccesstoken", - "invoke-appsecrettoaccesstoken", "new-signedjwt"]: - getattr(auth, args.command.replace("-", "_"))(args) - - # Enumeration commands - elif args.command in ["get-currentuser", "get-currentuseractivities", "get-orginfo", "get-domains", - "get-user", "get-userproperties", "get-userprivileges", - "get-usertransitivegroupmembership", "get-group", "get-groupmember", - "get-userapproleassignments", "get-conditionalaccesspolicy", - "get-application", "get-personalcontacts", "get-crosstenantaccesspolicy", - "get-partnercrosstenantaccesspolicy", "get-userchatmessages", - "get-administrativeunitmember", "get-onedrivefiles", "get-userpermissiongrants", - "get-oauth2permissiongrants", "get-messages", "get-temporaryaccesspassword", - "get-password", "list-authmethods", "list-directoryroles", "list-notebooks", - "list-conditionalaccesspolicies", "list-conditionalauthenticationcontexts", - "list-conditionalnamedlocations", "list-sharepointroot", "list-sharepointsites", - "list-sharepointurls", "list-externalconnections", "list-applications", "list-onedriveurls", - "list-serviceprincipals", "list-tenants", "list-joinedteams", "list-chats", - "list-chatmessages", "list-devices", "list-administrativeunits", "list-onedrives", - "list-recentonedrivefiles", "list-sharedonedrivefiles", "get-appserviceprincipal", - "get-serviceprincipal", "get-serviceprincipalapproleassignments"]: - getattr(enum, args.command.replace("-", "_"))(args) - - # Exploitation commands - elif args.command in ["invoke-customquery","invoke-search", "find-privilegedroleusers", "find-privilegedapplications", - "find-updatablegroups","find-dynamicgroups", "find-securitygroups", - "update-userpassword", "update-userproperties", "add-usertap", "add-groupmember", - "create-application", "create-newuser", "invite-guestuser", - "assign-privilegedrole", "open-owamailboxinbrowser", "dump-owamailbox", - "spoof-owaemailmessage", "add-applicationpermission", "add-applicationcertificate", - "add-applicationpassword", "grant-appadminconsent"]: - getattr(exploit, args.command.replace("-", "_"))(args) - - # Intune enum commands - elif args.command in ["get-manageddevices", "get-userdevices", "get-caps", "get-devicecategories", - "get-devicecompliancesummary", "get-deviceconfigurations", - "get-deviceconfigurationpolicies", "get-deviceconfigurationpolicysettings", - "get-deviceenrollmentconfigurations", "get-devicegrouppolicyconfigurations", - "get-devicegrouppolicydefinition", "get-roledefinitions", "get-roleassignments", - "get-devicecompliancepolicies"]: - getattr(intune_enum, args.command.replace("-", "_"))(args) + try: + # Outsider commands + if args.command in ["invoke-reconasoutsider", "invoke-userenumerationasoutsider"]: + getattr(outsider, args.command.replace("-", "_"))(args) + + # Authentication commands + elif args.command in ["get-graphtokens", "get-tenantid", "get-tokenscope", "decode-accesstoken", + "invoke-refreshtomsgraphtoken", "invoke-refreshtoazuremanagementtoken", + "invoke-refreshtovaulttoken", "invoke-refreshtomsteamstoken", + "invoke-refreshtoofficeappstoken", "invoke-refreshtoofficemanagementtoken", + "invoke-refreshtooutlooktoken", "invoke-refreshtosubstratetoken", + "invoke-refreshtoyammertoken", "invoke-refreshtointuneenrollmenttoken", + "invoke-refreshtoonedrivetoken", "invoke-refreshtosharepointtoken", + "invoke-certtoaccesstoken", "invoke-estscookietoaccesstoken", + "invoke-appsecrettoaccesstoken", "new-signedjwt"]: + getattr(auth, args.command.replace("-", "_"))(args) + + # Enumeration commands + elif args.command in ["get-currentuser", "get-currentuseractivities", "get-orginfo", "get-domains", + "get-user", "get-userproperties", "get-userprivileges", + "get-usertransitivegroupmembership", "get-group", "get-groupmember", + "get-userapproleassignments", "get-conditionalaccesspolicy", + "get-application", "get-personalcontacts", "get-crosstenantaccesspolicy", + "get-partnercrosstenantaccesspolicy", "get-userchatmessages", + "get-administrativeunitmember", "get-onedrivefiles", "get-userpermissiongrants", + "get-oauth2permissiongrants", "get-messages", "get-temporaryaccesspassword", + "get-password", "list-authmethods", "list-directoryroles", "list-notebooks", + "list-conditionalaccesspolicies", "list-conditionalauthenticationcontexts", + "list-conditionalnamedlocations", "list-sharepointroot", "list-sharepointsites", + "list-sharepointurls", "list-externalconnections", "list-applications", "list-onedriveurls", + "list-serviceprincipals", "list-tenants", "list-joinedteams", "list-chats", + "list-chatmessages", "list-devices", "list-administrativeunits", "list-onedrives", + "list-recentonedrivefiles", "list-sharedonedrivefiles", "get-appserviceprincipal", + "get-serviceprincipal", "get-serviceprincipalapproleassignments"]: + getattr(enum, args.command.replace("-", "_"))(args) + + # Exploitation commands + elif args.command in ["invoke-customquery","invoke-search", "find-privilegedroleusers", "find-privilegedapplications", + "find-updatablegroups","find-dynamicgroups", "find-securitygroups", + "update-userpassword", "update-userproperties", "add-usertap", "add-groupmember", + "create-application", "create-newuser", "invite-guestuser", + "assign-privilegedrole", "open-owamailboxinbrowser", "dump-owamailbox", + "spoof-owaemailmessage", "add-applicationpermission", "add-applicationcertificate", + "add-applicationpassword", "grant-appadminconsent"]: + getattr(exploit, args.command.replace("-", "_"))(args) + + # Intune enum commands + elif args.command in ["get-manageddevices", "get-userdevices", "get-caps", "get-devicecategories", + "get-devicecompliancesummary", "get-deviceconfigurations", + "get-deviceconfigurationpolicies", "get-deviceconfigurationpolicysettings", + "get-deviceenrollmentconfigurations", "get-devicegrouppolicyconfigurations", + "get-devicegrouppolicydefinition", "get-roledefinitions", "get-roleassignments", + "get-devicecompliancepolicies"]: + getattr(intune_enum, args.command.replace("-", "_"))(args) + + # Intune exploit commands + elif args.command in ["dump-devicemanagementscripts","dump-windowsapps", "dump-iosapps", + "dump-androidapps", "dump-macosapps","get-scriptcontent", + "display-avpolicyrules", "display-asrpolicyrules", + "display-diskencryptionpolicyrules", "display-firewallconfigpolicyrules", + "display-firewallrulepolicyrules", "display-edrpolicyrules", + "display-lapsaccountprotectionpolicyrules", + "display-usergroupaccountprotectionpolicyrules", "add-exclusiongrouptopolicy", + "deploy-maliciousscript", "deploy-maliciousweblink", "backdoor-script", + "update-deviceconfig", "reboot-device", "lock-device", "shutdown-device"]: + getattr(intune_exploit, args.command.replace("-", "_"))(args) + + # Cleanup commands + elif args.command in ["delete-user", "delete-group", "remove-groupmember", "delete-application", + "delete-device", "wipe-device", "retire-device"]: + getattr(cleanup, args.command.replace("-", "_"))(args) + + # Locator commands + elif args.command in ["locate-objectid", "locate-permissionid", "locate-directoryrole"]: + getattr(locators, args.command.replace("-", "_"))(args) + + # ... + elif args.command and args.command.lower() not in available_commands: + print_red(f"[-] Error: Unknown command '{args.command}'. Use --list-commands to see available commands") - # Intune exploit commands - elif args.command in ["dump-devicemanagementscripts","dump-windowsapps", "dump-iosapps", - "dump-androidapps", "dump-macosapps","get-scriptcontent", - "display-avpolicyrules", "display-asrpolicyrules", - "display-diskencryptionpolicyrules", "display-firewallconfigpolicyrules", - "display-firewallrulepolicyrules", "display-edrpolicyrules", - "display-lapsaccountprotectionpolicyrules", - "display-usergroupaccountprotectionpolicyrules", "add-exclusiongrouptopolicy", - "deploy-maliciousscript", "deploy-maliciousweblink", "backdoor-script", - "update-deviceconfig", "reboot-device", "retire-device", "lock-device", - "shutdown-device"]: - getattr(intune_exploit, args.command.replace("-", "_"))(args) - - # Cleanup commands - elif args.command in ["delete-user", "delete-group", "remove-groupmember", "delete-application", - "delete-device", "wipe-device"]: - getattr(cleanup, args.command.replace("-", "_"))(args) - - # Locator commands - elif args.command in ["locate-objectid", "locate-permissionid"]: - getattr(locators, args.command.replace("-", "_"))(args) - - # ... - elif args.command and args.command.lower() not in available_commands: - print_red(f"[-] Error: Unknown command '{args.command}'. Use --list-commands to see available commands") + except KeyboardInterrupt: + print_red("\n[-] Operation cancelled by user") + sys.exit(1) + except Exception as e: + print_red(f"\n[-] An error occurred while executing '{args.command}': {str(e)}") + sys.exit(1) if __name__ == "__main__": main() \ No newline at end of file diff --git a/graphpython/commands/__init__.py b/Graphpython/commands/__init__.py similarity index 100% rename from graphpython/commands/__init__.py rename to Graphpython/commands/__init__.py diff --git a/graphpython/commands/auth.py b/Graphpython/commands/auth.py similarity index 99% rename from graphpython/commands/auth.py rename to Graphpython/commands/auth.py index a7b8dfe..b01aacd 100644 --- a/graphpython/commands/auth.py +++ b/Graphpython/commands/auth.py @@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.serialization import pkcs12 from cryptography.hazmat.backends import default_backend from urllib.parse import urlencode, urlparse, parse_qs -from graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token +from Graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token ################## # Authentication # @@ -833,7 +833,7 @@ def invoke_refreshtosharepointtoken(args): # invoke-certtoaccesstoken def invoke_certtoaccesstoken(args): if not args.tenant or not args.cert or not args.id: - print_red("[-] Error: --tenant, --cert, and --id arguments are required for Invoke-CertToAccessToken command") + print_red("[-] Error: --tenant, --cert, and --id arguments are required for Invoke-CertToAccessToken command") return print_yellow("[*] Invoke-CertToAccessToken") diff --git a/graphpython/commands/cleanup.py b/Graphpython/commands/cleanup.py similarity index 83% rename from graphpython/commands/cleanup.py rename to Graphpython/commands/cleanup.py index 2707e38..8e51460 100644 --- a/graphpython/commands/cleanup.py +++ b/Graphpython/commands/cleanup.py @@ -1,10 +1,11 @@ import requests -from graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token +from Graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token ########### # Cleanup # ########### +# delete-user def delete_user(args): if not args.id: print_red("[-] Error: --id argument is required for Delete-User command") @@ -27,6 +28,7 @@ def delete_user(args): print_red(response.text) print("=" * 80) +# delete-group def delete_group(args): if not args.id: print_red("[-] Error: --id argument is required for Delete-Group command") @@ -49,6 +51,7 @@ def delete_group(args): print_red(response.text) print("=" * 80) +# remove-groupmember def remove_groupmember(args): if not args.id: print_red("[-] Error: --id groupid,objectid required for Remove-GroupMember command") @@ -77,6 +80,7 @@ def remove_groupmember(args): print_red(response.text) print("=" * 80) +# delete-application def delete_application(args): if not args.id: print_red("[-] Error: --id argument is required for Delete-Application command") @@ -99,6 +103,7 @@ def delete_application(args): print_red(response.text) print("=" * 80) +# delete-device def delete_device(args): if not args.id: print_red("[-] Error: --id argument is required for Delete-Device command") @@ -121,6 +126,7 @@ def delete_device(args): print_red(response.text) print("=" * 80) +# wipe-device def wipe_device(args): if not args.id: print_red("[-] Error: --id argument is required for Wipe-Device command") @@ -149,4 +155,28 @@ def wipe_device(args): else: print_red(f"[-] Failed to initiate device wipe: {response.status_code}") print_red(response.text) + print("=" * 80) + +# retire-device +def retire_device(args): + if not args.id: + print_red("[-] Error: --id argument is required for Retire-Device command") + return + + print_yellow("[*] Retire-Device") + print("=" * 80) + api_url = f"https://graph.microsoft.com/beta/deviceManagement/managedDevices/{args.id}/retire" + user_agent = get_user_agent(args) + + headers = { + 'Authorization': f'Bearer {get_access_token(args.token)}', + 'User-Agent': user_agent + } + + response = requests.post(api_url, headers=headers) + if response.ok: + print_green(f"[+] Device retire initiated successfully") + else: + print_red(f"[-] Failed to initiate device retire: {response.status_code}") + print_red(response.text) print("=" * 80) \ No newline at end of file diff --git a/Graphpython/commands/directoryroles.txt b/Graphpython/commands/directoryroles.txt new file mode 100644 index 0000000..59c3689 --- /dev/null +++ b/Graphpython/commands/directoryroles.txt @@ -0,0 +1,526 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
RoleDescriptionTemplate ID
Application AdministratorCan create and manage all aspects of app registrations and enterprise apps.
Privileged label icon.
9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
Application DeveloperCan create application registrations independent of the 'Users can register applications' setting.
Privileged label icon.
cf1c38e5-3621-4004-a7cb-879624dced7c
Attack Payload AuthorCan create attack payloads that an administrator can initiate later.9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f
Attack Simulation AdministratorCan create and manage all aspects of attack simulation campaigns.c430b396-e693-46cc-96f3-db01bf8bb62a
Attribute Assignment AdministratorAssign custom security attribute keys and values to supported Microsoft Entra objects.58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d
Attribute Assignment ReaderRead custom security attribute keys and values for supported Microsoft Entra objects.ffd52fa5-98dc-465c-991d-fc073eb59f8f
Attribute Definition AdministratorDefine and manage the definition of custom security attributes.8424c6f0-a189-499e-bbd0-26c1753c96d4
Attribute Definition ReaderRead the definition of custom security attributes.1d336d2c-4ae8-42ef-9711-b3604ce3fc2c
Attribute Log AdministratorRead audit logs and configure diagnostic settings for events related to custom security attributes.5b784334-f94b-471a-a387-e7219fc49ca2
Attribute Log ReaderRead audit logs related to custom security attributes.9c99539d-8186-4804-835f-fd51ef9e2dcd
Authentication AdministratorCan access to view, set and reset authentication method information for any non-admin user.
Privileged label icon.
c4e39bd9-1100-46d3-8c65-fb160da0071f
Authentication Extensibility AdministratorCustomize sign in and sign up experiences for users by creating and managing custom authentication extensions.
Privileged label icon.
25a516ed-2fa0-40ea-a2d0-12923a21473a
Authentication Policy AdministratorCan create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials.0526716b-113d-4c15-b2c8-68e3c22b9f80
Azure DevOps AdministratorCan manage Azure DevOps policies and settings.e3973bdf-4987-49ae-837a-ba8e231c7286
Azure Information Protection AdministratorCan manage all aspects of the Azure Information Protection product.7495fdc4-34c4-4d15-a289-98788ce399fd
B2C IEF Keyset AdministratorCan manage secrets for federation and encryption in the Identity Experience Framework (IEF).
Privileged label icon.
aaf43236-0c0d-4d5f-883a-6955382ac081
B2C IEF Policy AdministratorCan create and manage trust framework policies in the Identity Experience Framework (IEF).3edaf663-341e-4475-9f94-5c398ef6c070
Billing AdministratorCan perform common billing related tasks like updating payment information.b0f54661-2d74-4c50-afa3-1ec803f12efe
Cloud App Security AdministratorCan manage all aspects of the Defender for Cloud Apps product.892c5842-a9a6-463a-8041-72aa08ca3cf6
Cloud Application AdministratorCan create and manage all aspects of app registrations and enterprise apps except App Proxy.
Privileged label icon.
158c047a-c907-4556-b7ef-446551a6b5f7
Cloud Device AdministratorLimited access to manage devices in Microsoft Entra ID.
Privileged label icon.
7698a772-787b-4ac8-901f-60d6b08affd2
Compliance AdministratorCan read and manage compliance configuration and reports in Microsoft Entra ID and Microsoft 365.17315797-102d-40b4-93e0-432062caca18
Compliance Data AdministratorCreates and manages compliance content.e6d1a23a-da11-4be4-9570-befc86d067a7
Conditional Access AdministratorCan manage Conditional Access capabilities.
Privileged label icon.
b1be1c3e-b65d-4f19-8427-f6fa0d97feb9
Customer LockBox Access ApproverCan approve Microsoft support requests to access customer organizational data.5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91
Desktop Analytics AdministratorCan access and manage Desktop management tools and services.38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4
Directory ReadersCan read basic directory information. Commonly used to grant directory read access to applications and guests.88d8e3e3-8f55-4a1e-953a-9b9898b8876b
Directory Synchronization AccountsOnly used by Microsoft Entra Connect and Microsoft Entra Cloud Sync services.
Privileged label icon.
d29b2b05-8046-44ba-8758-1e26182fcf32
Directory WritersCan read and write basic directory information. For granting access to applications, not intended for users.
Privileged label icon.
9360feb5-f418-4baa-8175-e2a00bac4301
Domain Name AdministratorCan manage domain names in cloud and on-premises.
Privileged label icon.
8329153b-31d0-4727-b945-745eb3bc5f31
Dynamics 365 AdministratorCan manage all aspects of the Dynamics 365 product.44367163-eba1-44c3-98af-f5787879f96a
Dynamics 365 Business Central AdministratorAccess and perform all administrative tasks on Dynamics 365 Business Central environments.963797fb-eb3b-4cde-8ce3-5878b3f32a3f
Edge AdministratorManage all aspects of Microsoft Edge.3f1acade-1e04-4fbc-9b69-f0302cd84aef
Exchange AdministratorCan manage all aspects of the Exchange product.29232cdf-9323-42fd-ade2-1d097af3e4de
Exchange Recipient AdministratorCan create or update Exchange Online recipients within the Exchange Online organization.31392ffb-586c-42d1-9346-e59415a2cc4e
External ID User Flow AdministratorCan create and manage all aspects of user flows.6e591065-9bad-43ed-90f3-e9424366d2f0
External ID User Flow Attribute AdministratorCan create and manage the attribute schema available to all user flows.0f971eea-41eb-4569-a71e-57bb8a3eff1e
External Identity Provider AdministratorCan configure identity providers for use in direct federation.
Privileged label icon.
be2f45a1-457d-42af-a067-6ec1fa63bc45
Fabric AdministratorCan manage all aspects of the Fabric and Power BI products.a9ea8996-122f-4c74-9520-8edcd192826c
Global AdministratorCan manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities.
Privileged label icon.
62e90394-69f5-4237-9190-012177145e10
Global ReaderCan read everything that a Global Administrator can, but not update anything.
Privileged label icon.
f2ef992c-3afb-46b9-b7cf-a126ee74c451
Global Secure Access AdministratorCreate and manage all aspects of Microsoft Entra Internet Access and Microsoft Entra Private Access, including managing access to public and private endpoints.ac434307-12b9-4fa1-a708-88bf58caabc1
Groups AdministratorMembers of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports.fdd7a751-b60b-444a-984c-02652fe8fa1c
Guest InviterCan invite guest users independent of the 'members can invite guests' setting.95e79109-95c0-4d8e-aee3-d01accf2d47b
Helpdesk AdministratorCan reset passwords for non-administrators and Helpdesk Administrators.
Privileged label icon.
729827e3-9c14-49f7-bb1b-9608f156bbb8
Hybrid Identity AdministratorManage Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (seamless SSO), and federation settings. Does not have access to manage Microsoft Entra Connect Health.
Privileged label icon.
8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2
Identity Governance AdministratorManage access using Microsoft Entra ID for identity governance scenarios.45d8d3c5-c802-45c6-b32a-1d70b5e1e86e
Insights AdministratorHas administrative access in the Microsoft 365 Insights app.eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c
Insights AnalystAccess the analytical capabilities in Microsoft Viva Insights and run custom queries.25df335f-86eb-4119-b717-0ff02de207e9
Insights Business LeaderCan view and share dashboards and insights via the Microsoft 365 Insights app.31e939ad-9672-4796-9c2e-873181342d2d
Intune AdministratorCan manage all aspects of the Intune product.
Privileged label icon.
3a2c62db-5318-420d-8d74-23affee5d9d5
Kaizala AdministratorCan manage settings for Microsoft Kaizala.74ef975b-6605-40af-a5d2-b9539d836353
Knowledge AdministratorCan configure knowledge, learning, and other intelligent features.b5a8dcf3-09d5-43a9-a639-8e29ef291470
Knowledge ManagerCan organize, create, manage, and promote topics and knowledge.744ec460-397e-42ad-a462-8b3f9747a02c
License AdministratorCan manage product licenses on users and groups.4d6ac14f-3453-41d0-bef9-a3e0c569773a
Lifecycle Workflows AdministratorCreate and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID.
Privileged label icon.
59d46f88-662b-457b-bceb-5c3809e5908f
Message Center Privacy ReaderCan read security messages and updates in Office 365 Message Center only.ac16e43d-7b2d-40e0-ac05-243ff356ab5b
Message Center ReaderCan read messages and updates for their organization in Office 365 Message Center only.790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b
Microsoft 365 Migration AdministratorPerform all migration functionality to migrate content to Microsoft 365 using Migration Manager.8c8b803f-96e1-4129-9349-20738d9f9652
Microsoft Entra Joined Device Local AdministratorUsers assigned to this role are added to the local administrators group on Microsoft Entra joined devices.9f06204d-73c1-4d4c-880a-6edb90606fd8
Microsoft Hardware Warranty AdministratorCreate and manage all aspects warranty claims and entitlements for Microsoft manufactured hardware, like Surface and HoloLens.1501b917-7653-4ff9-a4b5-203eaf33784f
Microsoft Hardware Warranty SpecialistCreate and read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens.281fe777-fb20-4fbb-b7a3-ccebce5b0d96
Modern Commerce AdministratorCan manage commercial purchases for a company, department or team.d24aef57-1500-4070-84db-2666f29cf966
Network AdministratorCan manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications.d37c8bed-0711-4417-ba38-b4abe66ce4c2
Office Apps AdministratorCan manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices.2b745bdf-0803-4d80-aa65-822c4493daac
Organizational Branding AdministratorManage all aspects of organizational branding in a tenant.92ed04bf-c94a-4b82-9729-b799a7a4c178
Organizational Messages ApproverReview, approve, or reject new organizational messages for delivery in the Microsoft 365 admin center before they are sent to users.e48398e2-f4bb-4074-8f31-4586725e205b
Organizational Messages WriterWrite, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces.507f53e4-4e52-4077-abd3-d2e1558b6ea2
Partner Tier1 SupportDo not use - not intended for general use.
Privileged label icon.
4ba39ca4-527c-499a-b93d-d9b492c50246
Partner Tier2 SupportDo not use - not intended for general use.
Privileged label icon.
e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8
Password AdministratorCan reset passwords for non-administrators and Password Administrators.
Privileged label icon.
966707d0-3269-4727-9be2-8c3a10f19b9d
Permissions Management AdministratorManage all aspects of Microsoft Entra Permissions Management.af78dc32-cf4d-46f9-ba4e-4428526346b5
Power Platform AdministratorCan create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate.11648597-926c-4cf3-9c36-bcebb0ba8dcc
Printer AdministratorCan manage all aspects of printers and printer connectors.644ef478-e28f-4e28-b9dc-3fdde9aa0b1f
Printer TechnicianCan register and unregister printers and update printer status.e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477
Privileged Authentication AdministratorCan access to view, set and reset authentication method information for any user (admin or non-admin).
Privileged label icon.
7be44c8a-adaf-4e2a-84d6-ab2649e08a13
Privileged Role AdministratorCan manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management.
Privileged label icon.
e8611ab8-c189-46e8-94e1-60213ab1f814
Reports ReaderCan read sign-in and audit reports.4a5d8f65-41da-4de4-8968-e035b65339cf
Search AdministratorCan create and manage all aspects of Microsoft Search settings.0964bb5e-9bdb-4d7b-ac29-58e794862a40
Search EditorCan create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.8835291a-918c-4fd7-a9ce-faa49f0cf7d9
Security AdministratorCan read security information and reports, and manage configuration in Microsoft Entra ID and Office 365.
Privileged label icon.
194ae4cb-b126-40b2-bd5b-6091b380977d
Security OperatorCreates and manages security events.
Privileged label icon.
5f2222b1-57c3-48ba-8ad5-d4759f1fde6f
Security ReaderCan read security information and reports in Microsoft Entra ID and Office 365.
Privileged label icon.
5d6b6bb7-de71-4623-b4af-96380a352509
Service Support AdministratorCan read service health information and manage support tickets.f023fd81-a637-4b56-95fd-791ac0226033
SharePoint AdministratorCan manage all aspects of the SharePoint service.f28a1f50-f6e7-4571-818b-6a12f2af6b6c
SharePoint Embedded AdministratorManage all aspects of SharePoint Embedded containers.1a7d78b6-429f-476b-b8eb-35fb715fffd4
Skype for Business AdministratorCan manage all aspects of the Skype for Business product.75941009-915a-4869-abe7-691bff18279e
Teams AdministratorCan manage the Microsoft Teams service.69091246-20e8-4a56-aa4d-066075b2a7a8
Teams Communications AdministratorCan manage calling and meetings features within the Microsoft Teams service.baf37b3a-610e-45da-9e62-d9d1e5e8914b
Teams Communications Support EngineerCan troubleshoot communications issues within Teams using advanced tools.f70938a0-fc10-4177-9e90-2178f8765737
Teams Communications Support SpecialistCan troubleshoot communications issues within Teams using basic tools.fcf91098-03e3-41a9-b5ba-6f0ec8188a12
Teams Devices AdministratorCan perform management related tasks on Teams certified devices.3d762c5a-1b6c-493f-843e-55a3b42923d4
Teams Telephony AdministratorManage voice and telephony features and troubleshoot communication issues within the Microsoft Teams service.aa38014f-0993-46e9-9b45-30501a20909d
Tenant CreatorCreate new Microsoft Entra or Azure AD B2C tenants.112ca1a2-15ad-4102-995e-45b0bc479a6a
Usage Summary Reports ReaderRead Usage reports and Adoption Score, but can't access user details.75934031-6c7e-415a-99d7-48dbd49e875e
User AdministratorCan manage all aspects of users and groups, including resetting passwords for limited admins.
Privileged label icon.
fe930be7-5e62-47db-91af-98c3a49a38b1
User Experience Success ManagerView product feedback, survey results, and reports to find training and communication opportunities.27460883-1df1-4691-b032-3b79643e5e63
Virtual Visits AdministratorManage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app.e300d9e7-4a2b-4295-9eff-f1c78b36cc98
Viva Goals AdministratorManage and configure all aspects of Microsoft Viva Goals.92b086b3-e367-4ef2-b869-1de128fb986e
Viva Pulse AdministratorCan manage all settings for Microsoft Viva Pulse app.87761b17-1ed2-4af3-9acd-92a150038160
Windows 365 AdministratorCan provision and manage all aspects of Cloud PCs.11451d60-acb2-45eb-a7d6-43d0f0125c13
Windows Update Deployment AdministratorCan create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service.32696413-001a-46ae-978c-ce0f6b3620d2
Yammer AdministratorManage all aspects of the Yammer service.810a2642-a034-447f-a5e8-41beaa378541
\ No newline at end of file diff --git a/graphpython/commands/enum.py b/Graphpython/commands/enum.py similarity index 99% rename from graphpython/commands/enum.py rename to Graphpython/commands/enum.py index bc67243..b9c47ff 100644 --- a/graphpython/commands/enum.py +++ b/Graphpython/commands/enum.py @@ -4,8 +4,8 @@ import sys import time from bs4 import BeautifulSoup -from graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token -from graphpython.utils.helpers import graph_api_get +from Graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token +from Graphpython.utils.helpers import graph_api_get ########################## # Post-Auth Enuemeration # diff --git a/graphpython/commands/exploit.py b/Graphpython/commands/exploit.py similarity index 99% rename from graphpython/commands/exploit.py rename to Graphpython/commands/exploit.py index 3b0da0b..b064366 100644 --- a/graphpython/commands/exploit.py +++ b/Graphpython/commands/exploit.py @@ -11,8 +11,8 @@ from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.serialization import pkcs12 from cryptography.hazmat.backends import default_backend -from graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token -from graphpython.utils.helpers import read_file_content, format_list_style, highlight_search_term, read_and_encode_cert +from Graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token +from Graphpython.utils.helpers import read_file_content, format_list_style, highlight_search_term, read_and_encode_cert ########################## # Post-Auth Exploitation # @@ -557,13 +557,13 @@ def add_applicationcertificate(args): opessl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crt opessl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -Only certificate (public key) with one of the following file types: +Then supply certificate (public key) with one of the following file types to --cert: .cer .pem .crt """ if not args.id or not args.cert: - print_red("[-] Error: --id and --cert required for Add-ApplicationCertificate command") + print_red("[-] Error: --id and --cert required for Add-ApplicationCertificate command") print_red(openssl) return diff --git a/graphpython/commands/graphpermissions.txt b/Graphpython/commands/graphpermissions.txt similarity index 100% rename from graphpython/commands/graphpermissions.txt rename to Graphpython/commands/graphpermissions.txt diff --git a/graphpython/commands/intune_enum.py b/Graphpython/commands/intune_enum.py similarity index 99% rename from graphpython/commands/intune_enum.py rename to Graphpython/commands/intune_enum.py index e4f4ef3..9ed9f02 100644 --- a/graphpython/commands/intune_enum.py +++ b/Graphpython/commands/intune_enum.py @@ -1,7 +1,7 @@ import requests import json -from graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token -from graphpython.utils.helpers import graph_api_get +from Graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token +from Graphpython.utils.helpers import graph_api_get ################################ # Post-Auth Intune Enumeration # diff --git a/graphpython/commands/intune_exploit.py b/Graphpython/commands/intune_exploit.py similarity index 99% rename from graphpython/commands/intune_exploit.py rename to Graphpython/commands/intune_exploit.py index a345809..401d810 100644 --- a/graphpython/commands/intune_exploit.py +++ b/Graphpython/commands/intune_exploit.py @@ -3,8 +3,8 @@ import sys import base64 from tabulate import tabulate -from graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token -from graphpython.utils.helpers import read_file_content, graph_api_get +from Graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token +from Graphpython.utils.helpers import read_file_content, graph_api_get ################################# # Post-Auth Intune Exploitation # @@ -1754,7 +1754,7 @@ def deploy_maliciousweblink(args): sys.exit() json_body = { - "@odata.type": "#microsoft.graph.windowsWebApp", + "@odata.type": "#microsoft.graph.windowsWebApp", # or microsoft.graph.webApp for standard web link "appUrl": appUrl, "categories": [], "description": description, @@ -1972,30 +1972,6 @@ def reboot_device(args): print_red(response.text) print("=" * 80) -# retire-device -def retire_device(args): - if not args.id: - print_red("[-] Error: --id argument is required for Retire-Device command") - return - - print_yellow("[*] Retire-Device") - print("=" * 80) - api_url = f"https://graph.microsoft.com/beta/deviceManagement/managedDevices/{args.id}/retire" - user_agent = get_user_agent(args) - - headers = { - 'Authorization': f'Bearer {get_access_token(args.token)}', - 'User-Agent': user_agent - } - - response = requests.post(api_url, headers=headers) - if response.ok: - print_green(f"[+] Device retire initiated successfully") - else: - print_red(f"[-] Failed to initiate device retire: {response.status_code}") - print_red(response.text) - print("=" * 80) - # lock-device def lock_device(args): if not args.id: diff --git a/graphpython/commands/locators.py b/Graphpython/commands/locators.py similarity index 74% rename from graphpython/commands/locators.py rename to Graphpython/commands/locators.py index c3994b5..fb06e6b 100644 --- a/graphpython/commands/locators.py +++ b/Graphpython/commands/locators.py @@ -1,7 +1,8 @@ import requests import os +import re from bs4 import BeautifulSoup -from graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token +from Graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token ############ # Locators # @@ -98,20 +99,19 @@ def locate_permissionid(args): if not args.id: print_red("[-] Error: --id argument is required for Locate-PermissionID command") return - print_yellow("[*] Locate-PermissionID") print("=" * 80) def parse_html(content): soup = BeautifulSoup(content, 'html.parser') permissions = {} - + for h3 in soup.find_all('h3'): title = h3.text table = h3.find_next('table') headers = [th.text for th in table.find('thead').find_all('th')] rows = table.find('tbody').find_all('tr') - + permission_data = {} for row in rows: cells = row.find_all('td') @@ -123,20 +123,20 @@ def parse_html(content): headers[2]: delegated } permissions[title] = permission_data - + return permissions def highlight(text, should_highlight): if should_highlight: return f"\033[92m{text}\033[0m" return text - - def print_permission(permission, data, app_ids, delegated_ids): + + def print_permission(permission, data, identifiers): print_green(f"{permission}") for category, values in data.items(): print(f" {category}:") - app_highlight = data['Identifier']['Application'] in app_ids - delegated_highlight = data['Identifier']['Delegated'] in delegated_ids + app_highlight = data['Identifier']['Application'] in identifiers or permission in identifiers + delegated_highlight = data['Identifier']['Delegated'] in identifiers or permission in identifiers print(f" Application: {highlight(values['Application'], app_highlight)}") print(f" Delegated: {highlight(values['Delegated'], delegated_highlight)}") print() @@ -144,7 +144,7 @@ def print_permission(permission, data, app_ids, delegated_ids): identifiers = args.id.split(',') script_dir = os.path.dirname(os.path.abspath(__file__)) file_path = os.path.join(script_dir, 'graphpermissions.txt') - + try: with open(file_path, 'r') as file: content = file.read() @@ -156,25 +156,80 @@ def print_permission(permission, data, app_ids, delegated_ids): print_red(f"[-] An error occurred: {e}") print("=" * 80) return - + permissions = parse_html(content) - app_ids = [] - delegated_ids = [] - - for permission, data in permissions.items(): - if data['Identifier']['Application'] in identifiers: - app_ids.append(data['Identifier']['Application']) - if data['Identifier']['Delegated'] in identifiers: - delegated_ids.append(data['Identifier']['Delegated']) - found_permissions = False - + for permission, data in permissions.items(): - if data['Identifier']['Application'] in app_ids or data['Identifier']['Delegated'] in delegated_ids: - print_permission(permission, data, app_ids, delegated_ids) + if (data['Identifier']['Application'] in identifiers or + data['Identifier']['Delegated'] in identifiers or + permission in identifiers): + print_permission(permission, data, identifiers) found_permissions = True - + if not found_permissions: - print_red("[-] Permission ID not found") + print_red("[-] Permission ID or name not found") + + print("=" * 80) + +def locate_directoryrole(args): + if not args.id: + print_red("[-] Error: --id argument is required for Locate-DirectoryRole command") + return + print_yellow("[*] Locate-DirectoryRole") + print("=" * 80) + + def parse_html(content): + soup = BeautifulSoup(content, 'html.parser') + roles = [] + for row in soup.find_all('tr')[1:]: # skip header row + cells = row.find_all('td') + if len(cells) == 3: + role_name = cells[0].text.strip() + description = cells[1].text.strip() + template_id = cells[2].text.strip() + privileged = 'privileged-roles-permissions' in str(cells[1]) + roles.append({ + 'name': role_name, + 'description': description, + 'template_id': template_id, + 'privileged': privileged + }) + return roles + + def print_role(role): + print(f"Role: \033[92m{role['name']}\033[0m") + print(f"Description: \033[92m{role['description']}\033[0m") + print(f"Template ID: \033[92m{role['template_id']}\033[0m") + print(f"Privileged: \033[92m{'Yes' if role['privileged'] else 'No'}\033[0m") + print() + + identifier = args.id.lower() + + script_dir = os.path.dirname(os.path.abspath(__file__)) + file_path = os.path.join(script_dir, 'directoryroles.txt') + try: + with open(file_path, 'r', encoding='utf-8') as file: + content = file.read() + except FileNotFoundError: + print_red(f"[-] The file {file_path} does not exist.") + print("=" * 80) + return + except Exception as e: + print_red(f"[-] An error occurred while reading the file: {e}") + print("=" * 80) + return + + roles = parse_html(content) + found_role = False + + for role in roles: + if identifier in role['name'].lower() or identifier == role['template_id'].lower(): + print_role(role) + found_role = True + + if not found_role: + print_red("[-] Directory role ID or name not found") + print("=" * 80) \ No newline at end of file diff --git a/graphpython/commands/outsider.py b/Graphpython/commands/outsider.py similarity index 98% rename from graphpython/commands/outsider.py rename to Graphpython/commands/outsider.py index 4597f57..eb228c0 100644 --- a/graphpython/commands/outsider.py +++ b/Graphpython/commands/outsider.py @@ -2,8 +2,8 @@ from tqdm import tqdm import dns.resolver import os -from graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token -from graphpython.utils.helpers import get_tenant_domains +from Graphpython.utils.helpers import print_yellow, print_green, print_red, get_user_agent, get_access_token +from Graphpython.utils.helpers import get_tenant_domains ############ # Outsider # diff --git a/graphpython/utils/__init__.py b/Graphpython/utils/__init__.py similarity index 100% rename from graphpython/utils/__init__.py rename to Graphpython/utils/__init__.py diff --git a/graphpython/utils/helpers.py b/Graphpython/utils/helpers.py similarity index 99% rename from graphpython/utils/helpers.py rename to Graphpython/utils/helpers.py index 3449a68..6096eb0 100644 --- a/graphpython/utils/helpers.py +++ b/Graphpython/utils/helpers.py @@ -161,7 +161,6 @@ def list_commands(): ["Display-UserGroupAccountProtectionPolicyRules", "Display user group account protection policy rules"], ["Add-ExclusionGroupToPolicy", "Bypass av, asr, etc. rules by adding an exclusion group containing compromised user or device"], ["Reboot-Device", "Reboot managed device"], - ["Retire-Device", "Retire managed device"], ["Lock-Device", "Lock managed device"], ["Shutdown-Device", "Shutdown managed device"], ["Update-DeviceConfig", "Update properties of the managed device configuration"] @@ -174,11 +173,13 @@ def list_commands(): ["Delete-Application", "Delete an application"], ["Delete-Device", "Delete managed device"], ["Wipe-Device", "Wipe managed device"], + ["Retire-Device", "Retire managed device"] ] locator_commands = [ ["Locate-ObjectID", "Locate object ID and display object properties"], - ["Locate-PermissionID", "Locate Graph permission details (application/delegated, description, admin consent required, ...) for ID"] + ["Locate-PermissionID", "Locate Graph permission details (application/delegated, description, admin consent required) for ID or permission name"], + ["Locate-DirectoryRole", "Locate Entra directory role information for template ID or role name"] ] print("Outsider") diff --git a/README.md b/README.md index e95572f..59de136 100644 --- a/README.md +++ b/README.md @@ -10,604 +10,262 @@ Graphpython covers external reconnaissance, authentication/token manipulation, e ## Index -- [Install](#Install) +- [Installation](#Installation) - [Usage](#Usage) - [Commands](#Commands) -- [Demo](#demos) - - [Outsider](#outsider-1) - - [Invoke-ReconAsOutsider](#invoke-reconasoutsider) - - [Invoke-UserEnumerationAsOutsider](#invoke-userenumerationasoutsider) - - [Authentication](#authentication-1) - - [Get-GraphTokens](#get-graphtokens) - - [Invoke-RefreshToAzureManagementToken](#invoke-refreshtoazuremanagementtoken) - - [Invoke-CertToAccessToken](#invoke-certtoaccesstoken) - - [Invoke-ESTSCookieToAccessToken](#invoke-estscookietoaccesstoken) - - [Post-Auth Enumeration](#post-auth-enumeration-1) - - [Get-User](#get-user) - - [Get-UserPrivileges](#get-userprivileges) - - [Get-Application](#get-application) - - [List-RecentOneDriveFiles](#list-recentonedrivefiles) - - [Post-Auth Exploitation](#post-auth-exploitation-1) - - [Invite-GuestUser](#invite-guestuser) - - [Find-PrivilegedRoleUsers](#find-privilegedroleusers) - - [Assign-PrivilegedRole](#assign-privilegedrole) - - [Find-PrivilegedApplications](#find-privilegedapplications) - - [Add-ApplicationPermission](#add-applicationpermission) - - [Spoof-OWAEmailMessage](#spoof-owaemailmessage) - - [Find-DynamicGroups](#find-dynamicgroups) - - [Find-UpdatableGroups](#find-updatablegroups) - - [Post-Auth Intune Enumeration](#post-auth-intune-enumeration-1) - - [Get-ManagedDevices](#get-manageddevices) - - [Get-UserDevices](#get-userdevices) - - [Get-DeviceConfigurationPolicies](#get-deviceconfigurationpolicies) - - [Post-Auth Intune Exploitation](#post-auth-intune-exploitation-1) - - [Display-AVPolicyRules](#display-avpolicyrules) - - [Get-ScriptContent](#get-scriptcontent) - - [Backdoor-Script](#backdoor-script) - - [Deploy-MaliciousScript](#deploy-maliciousscript) - - [Add-ExclusionGroupToPolicy](#add-exclusiongrouptopolicy) - - [Cleanup](#cleanup-1) - - [Remove-GroupMember](#remove-groupmember) - - [Locators](#locators-1) - - [Locate-ObjectID](#locate-objectid) - - [Locate-PermissionID](#locate-permissionid) - - - -## Install - -> Reformatted entire codebase, more installation options are available now. PyPi install will be supported soon. - -Either install via pip: +- [Demos](#Demos) + +## Installation + +Graphpython is designed to be cross-platform, ensuring compatibility with both Windows and Linux based operating systems: + ``` git clone https://github.com/mlcsec/Graphpython.git cd Graphpython pip install . -graphpython -``` -Or run as before via git and Python3: ``` -git clone https://github.com/mlcsec/Graphpython.git -cd Graphpython -pip3 install -r requirements.txt -python3 graphpython.py +```bash +Graphpython -h +# or +python3 Graphpython.py -h ``` ## Usage +Please refer to the [Wiki](https://github.com/mlcsec/Graphpython/wiki/Usage) for more details +

## Commands -Please refer to the [Wiki](https://github.com/mlcsec/Graphpython/wiki) for the full user guide and details of available functionality. - -### Outsider - -* **Invoke-ReconAsOutsider** - Perform outsider recon of the target domain -* **Invoke-UserEnumerationAsOutsider** - Checks whether the user exists within Azure AD - -### Authentication - -* **Get-GraphTokens** - Obtain graph token via device code phish -* **Get-TenantID** - Get tenant ID for target domain -* **Get-TokenScope** - Get scope of supplied token -* **Decode-AccessToken** - Get all token payload attributes -* **Invoke-RefreshToMSGraphToken** - Convert refresh token to Microsoft Graph token -* **Invoke-RefreshToAzureManagementToken** - Convert refresh token to Azure Management token -* **Invoke-RefreshToVaultToken** - Convert refresh token to Azure Vault token -* **Invoke-RefreshToMSTeamsToken** - Convert refresh token to MS Teams token -* **Invoke-RefreshToOfficeAppsToken** - Convert refresh token to Office Apps token -* **Invoke-RefreshToOfficeManagementToken** - Convert refresh token to Office Management token -* **Invoke-RefreshToOutlookToken** - Convert refresh token to Outlook token -* **Invoke-RefreshToSubstrateToken** - Convert refresh token to Substrate token -* **Invoke-RefreshToYammerToken** - Convert refresh token to Yammer token -* **Invoke-RefreshToIntuneEnrollmentToken** - Convert refresh token to Intune Enrollment token -* **Invoke-RefreshToOneDriveToken** - Convert refresh token to OneDrive token -* **Invoke-RefreshToSharePointToken** - Convert refresh token to SharePoint token -* **Invoke-CertToAccessToken** - Convert Azure Application certificate to JWT access token -* **Invoke-ESTSCookieToAccessToken** - Convert ESTS cookie to MS Graph access token -* **Invoke-AppSecretToAccessToken** - Convert Azure Application secretText credentials to access token -* **New-SignedJWT** - Construct JWT and sign using Key Vault PEM certificate (Azure Key Vault access token required) then generate Azure Management token - -### Post-Auth Enumeration - -* **Get-CurrentUser** - Get current user profile -* **Get-CurrentUserActivity** - Get recent activity and actions of current user -* **Get-OrgInfo** - Get information relating to the target organization -* **Get-Domains** - Get domain objects -* **Get-User** - Get all users (default) or target user -* **Get-UserProperties** - Get current user properties (default) or target user -* **Get-UserGroupMembership** - Get group memberships for current user (default) or target user -* **Get-UserTransitiveGroupMembership** - Get transitive group memberships for current user (default) or target user -* **Get-Group** - Get all groups (default) or target group -* **Get-GroupMember** - Get all members of target group -* **Get-AppRoleAssignments** - Get application role assignments for current user (default) or target user -* **Get-ConditionalAccessPolicy** - Get conditional access policy properties -* **Get-Application** - Get Enterprise Application details for app (NOT object) ID -* **Get-AppServicePrincipal** - Get details of the application's service principal from the app ID -* **Get-ServicePrincipal** - Get Service Principal details -* **Get-ServicePrincipalAppRoleAssignments** - Get Service Principal app role assignments (shows available admin consent permissions that are already granted) -* **Get-PersonalContacts** - Get contacts of the current user -* **Get-CrossTenantAccessPolicy** - Get cross tenant access policy properties -* **Get-PartnerCrossTenantAccessPolicy** - Get partner cross tenant access policy -* **Get-UserChatMessages** - Get ALL messages from all chats for target user (Chat.Read.All) -* **Get-AdministrativeUnitMember** - Get members of administrative unit -* **Get-OneDriveFiles** - Get all accessible OneDrive files for current user (default) or target user -* **Get-UserPermissionGrants** - Get permissions grants of current user (default) or target user -* **Get-oauth2PermissionGrants** - Get oauth2 permission grants for current user (default) or target user -* **Get-Messages** - Get all messages in signed-in user's mailbox (default) or target user -* **Get-TemporaryAccessPassword** - Get TAP details for current user (default) or target user -* **Get-Password** - Get passwords registered to current user (default) or target user -* **List-AuthMethods** - List authentication methods for current user (default) or target user -* **List-DirectoryRoles** - List all directory roles activated in the tenant -* **List-Notebooks** - List current user notebooks (default) or target user -* **List-ConditionalAccessPolicies** - List conditional access policy objects -* **List-ConditionalAuthenticationContexts** - List conditional access authentication context -* **List-ConditionalNamedLocations** - List conditional access named locations -* **List-SharePointRoot** - List root SharePoint site properties -* **List-SharePointSites** - List any available SharePoint sites -* **List-SharePointURLs** - List SharePoint site web URLs visible to current user -* **List-ExternalConnections** - List external connections -* **List-Applications** - List all Azure Applications -* **List-ServicePrincipals** - List all service principals -* **List-Tenants** - List tenants -* **List-JoinedTeams** - List joined teams for current user (default) or target user -* **List-Chats** - List chats for current user (default) or target user -* **List-ChatMessages** - List messages in target chat -* **List-Devices** - List devices -* **List-AdministrativeUnits** - List administrative units -* **List-OneDrives** - List current user OneDrive (default) or target user -* **List-RecentOneDriveFiles** - List current user recent OneDrive files -* **List-SharedOneDriveFiles** - List OneDrive files shared with the current user -* **List-OneDriveURLs** - List OneDrive web URLs visible to current user - -### Post-Auth Exploitation - -* **Invoke-CustomQuery** - Custom GET query to target Graph API endpoint -* **Invoke-Search** - Search for string within entity type (driveItem, message, chatMessage, site, event) -* **Find-PrivilegedRoleUsers** - Find users with privileged roles assigned -* **Find-PrivilegedApplications** - Find privileged apps (via their service principal) with granted admin consent API permissions -* **Find-UpdatableGroups** - Find groups which can be updated by the current user -* **Find-SecurityGroups** - Find security groups and group members -* **Find-DynamicGroups** - Find groups with dynamic membership rules -* **Update-UserPassword** - Update the passwordProfile of the target user (NewUserS3cret@Pass!) -* **Update-UserProperties** - Update a specific user property of the target user -* **Add-UserTAP** - Add new Temporary Access Password (TAP) to target user -* **Add-GroupMember** - Add member to target group -* **Add-ApplicationPassword** - Add client secret to target application -* **Add-ApplicationCertificate** - Add client certificate to target application -* **Add-ApplicationPermission** - Add permission to target application e.g. Mail.Send and attempt to grant admin consent -* **Grant-AppAdminConsent** - Grant admin consent for Graph API permission already assigned to enterprise application -* **Create-Application** - Create new enterprise application with default settings -* **Create-NewUser** - Create new Entra ID user -* **Invite-GuestUser** - Invite guest user to Entra ID -* **Assign-PrivilegedRole** - Assign chosen privileged role to user/group/object -* **Open-OWAMailboxInBrowser** - Open an OWA Office 365 mailbox in BurpSuite's embedded Chromium browser using either a Substrate.Office.com or Outlook.Office.com access token -* **Dump-OWAMailbox** - Dump OWA Office 365 mailbox -* **Spoof-OWAEmailMessage** - Send email from current user's Outlook mailbox or spoof another user (Mail.Send) - -### Post-Auth Intune Enumeration - -* **Get-ManagedDevices** - Get managed devices -* **Get-UserDevices** - Get user devices -* **Get-CAPs** - Get conditional access policies -* **Get-DeviceCategories** - Get device categories -* **Get-DeviceComplianceSummary** - Get device compliance summary -* **Get-DeviceConfigurations** - Get device configurations -* **Get-DeviceConfigurationPolicySettings** - Get device configuration policy settings -* **Get-DeviceEnrollmentConfigurations** - Get device enrollment configurations -* **Get-DeviceGroupPolicyConfigurations** - Get device group policy configurations and assignment details -* **Get-DeviceGroupPolicyDefinition** - Get device group policy definition -* **Get-RoleDefinitions** - Get role definitions -* **Get-RoleAssignments** - Get role assignments -* **Get-DeviceCompliancePolicies** - Get all device compliance policies (Android, iOS, macOS, Windows, Linux, etc.) -* **Get-DeviceConfigurationPolicies** - Get device configuration policies and assignment details (AV, ASR, DiskEnc, etc.) - +Please refer to the [Wiki](https://github.com/mlcsec/Graphpython/wiki/Commands) for more details on the available commands + +### Outsider + +- Invoke-ReconAsOutsider +- Invoke-UserEnumerationAsOutsider + +### Authentication + +- Get-GraphTokens +- Get-TenantID +- Get-TokenScope +- Decode-AccessToken +- Invoke-RefreshToMSGraphToken +- Invoke-RefreshToAzureManagementToken +- Invoke-RefreshToVaultToken +- Invoke-RefreshToMSTeamsToken +- Invoke-RefreshToOfficeAppsToken +- Invoke-RefreshToOfficeManagementToken +- Invoke-RefreshToOutlookToken +- Invoke-RefreshToSubstrateToken +- Invoke-RefreshToYammerToken +- Invoke-RefreshToIntuneEnrollmentToken +- Invoke-RefreshToOneDriveToken +- Invoke-RefreshToSharePointToken +- Invoke-CertToAccessToken +- Invoke-ESTSCookieToAccessToken +- Invoke-AppSecretToAccessToken +- New-SignedJWT + +### Post-Auth Enumeration + +- Get-CurrentUser +- Get-CurrentUserActivity +- Get-OrgInfo +- Get-Domains +- Get-User +- Get-UserProperties +- Get-UserGroupMembership +- Get-UserTransitiveGroupMembership +- Get-Group +- Get-GroupMember +- Get-AppRoleAssignments +- Get-ConditionalAccessPolicy +- Get-Application +- Get-AppServicePrincipal +- Get-ServicePrincipal +- Get-ServicePrincipalAppRoleAssignments +- Get-PersonalContacts +- Get-CrossTenantAccessPolicy +- Get-PartnerCrossTenantAccessPolicy +- Get-UserChatMessages +- Get-AdministrativeUnitMember +- Get-OneDriveFiles +- Get-UserPermissionGrants +- Get-oauth2PermissionGrants +- Get-Messages +- Get-TemporaryAccessPassword +- Get-Password +- List-AuthMethods +- List-DirectoryRoles +- List-Notebooks +- List-ConditionalAccessPolicies +- List-ConditionalAuthenticationContexts +- List-ConditionalNamedLocations +- List-SharePointRoot +- List-SharePointSites +- List-SharePointURLs +- List-ExternalConnections +- List-Applications +- List-ServicePrincipals +- List-Tenants +- List-JoinedTeams +- List-Chats +- List-ChatMessages +- List-Devices +- List-AdministrativeUnits +- List-OneDrives +- List-RecentOneDriveFiles +- List-SharedOneDriveFiles +- List-OneDriveURLs + +### Post-Auth Exploitation + +- Invoke-CustomQuery +- Invoke-Search +- Find-PrivilegedRoleUsers +- Find-PrivilegedApplications +- Find-UpdatableGroups +- Find-SecurityGroups +- Find-DynamicGroups +- Update-UserPassword +- Update-UserProperties +- Add-UserTAP +- Add-GroupMember +- Add-ApplicationPassword +- Add-ApplicationCertificate +- Add-ApplicationPermission +- Grant-AppAdminConsent +- Create-Application +- Create-NewUser +- Invite-GuestUser +- Assign-PrivilegedRole +- Open-OWAMailboxInBrowser +- Dump-OWAMailbox +- Spoof-OWAEmailMessage + +### Post-Auth Intune Enumeration + +- Get-ManagedDevices +- Get-UserDevices +- Get-CAPs +- Get-DeviceCategories +- Get-DeviceComplianceSummary +- Get-DeviceConfigurations +- Get-DeviceConfigurationPolicySettings +- Get-DeviceEnrollmentConfigurations +- Get-DeviceGroupPolicyConfigurations +- Get-DeviceGroupPolicyDefinition +- Get-RoleDefinitions +- Get-RoleAssignments +- Get-DeviceCompliancePolicies +- Get-DeviceConfigurationPolicies ### Post-Auth Intune Exploitation -* **Dump-DeviceManagementScripts** - Dump device management PowerShell scripts -* **Dump-WindowsApps**: Dump managed Windows OS applications (exe, msi, appx, msix, etc.) -* **Dump-iOSApps**: Dump managed iOS/iPadOS mobile applications -* **Dump-macOSApps**: Dump managed macOS applications -* **Dump-AndroidApps**: Dump managed Android mobile applications -* **Get-ScriptContent** - Get device management script content -* **Backdoor-Script** - Add malicious code to pre-existing device management script -* **Deploy-MaliciousScript** - Deploy new malicious device management PowerShell script (all devices) -* **Display-AVPolicyRules** - Display antivirus policy rules -* **Display-ASRPolicyRules** - Display Attack Surface Reduction (ASR) policy rules -* **Display-DiskEncryptionPolicyRules** - Display disk encryption policy rules -* **Display-FirewallConfigPolicyRules** - Display firewall configuration policy rules -* **Display-FirewallRulePolicyRules** - Display firewall rule policy rules (firewall rules not firewall config policy) -* **Display-EDRPolicyRules** - Display EDR policy rules -* **Display-LAPSAccountProtectionPolicyRules** - Display LAPS account protection policy rules -* **Display-UserGroupAccountProtectionPolicyRules** - Display user group account protection policy rules -* **Add-ExclusionGroupToPolicy** - Bypass av, asr, etc. rules by adding an exclusion group containing compromised user or device -* **Reboot-Device** - Reboot managed device -* **Retire-Device** - Retire managed device -* **Lock-Device** - Lock managed device -* **Shutdown-Device** - Shutdown managed device -* **Update-DeviceConfig** - Update properties of the managed device configuration +- Dump-DeviceManagementScripts +- Dump-WindowsApps +- Dump-iOSApps +- Dump-macOSApps +- Dump-AndroidApps +- Get-ScriptContent +- Backdoor-Script +- Deploy-MaliciousScript +- Deploy-MaliciousWebLink +- Display-AVPolicyRules +- Display-ASRPolicyRules +- Display-DiskEncryptionPolicyRules +- Display-FirewallConfigPolicyRules +- Display-FirewallRulePolicyRules +- Display-EDRPolicyRules +- Display-LAPSAccountProtectionPolicyRules +- Display-UserGroupAccountProtectionPolicyRules +- Add-ExclusionGroupToPolicy +- Reboot-Device +- Lock-Device +- Shutdown-Device +- Update-DeviceConfig ### Cleanup -* **Delete-User** - Delete a user -* **Delete-Group** - Delete a group -* **Remove-GroupMember** - Remove user from a group -* **Delete-Application** - Delete an application -* **Delete-Device** - Delete managed device -* **Wipe-Device** - Wipe managed device +- Delete-User +- Delete-Group +- Remove-GroupMember +- Delete-Application +- Delete-Device +- Wipe-Device +- Retire-Device ### Locators -* **Locate-ObjectID** - Find object ID and display object properties -* **Locate-PermissionID** - Find Graph permission ID details (application/delegated, description, admin consent required, ...) - - -
- -# Demo - -## Outsider - -### Invoke-ReconAsOutsider - -Perform unauthenticated external recon of the target domain like AADInternal's [Invoke-ReconAsOutsider](https://github.com/Gerenios/AADInternals/blob/master/KillChain.ps1#L8) - -#### Example: -``` -# graphpython.py --command invoke-reconasoutsider --domain company.com -``` -#### Output: -``` -[*] Invoke-ReconAsOutsider -================================================================================ -Domains: 2 -Tenant brand: Company Ltd -Tenant name: company -Tenant id: 05aea22e-32f3-4c35-831b-52735704feb3 -Tenant region: EU -DesktopSSO enabled: False -MDI instance: Not found -Uses cloud sync: False - -Name DNS MX SPF DMARC DKIM MTA-STS Type STS ----- --- --- ---- ----- ---- ------- ---- --- -company.com False False False False False False Federated sts.company.com -company.onmicrosoft.com True True True False True False Managed -================================================================================ -``` - -### Invoke-UserEnumerationAsOutsider - -Perform username enumeration for the target domain like AADInternal's [Invoke-UserEnumerationAsOutsider](https://github.com/Gerenios/AADInternals/blob/master/KillChain.ps1#L283): - -![](./.github/invokeuserenum.png) - -
- -## Authentication - -### Get-GraphTokens - -Obtain MS Graph tokens via device code authentication (can also be used for device code phishing): - -![](./.github/getgraphtokens.png) - -### Invoke-RefreshToAzureManagementToken - -A valid refresh token can be used to generate access tokens for a [variety of services](https://github.com/mlcsec/Graphpython/wiki#authentication), Azure Management for example shown below. The `--use-cae` switch can be included to use **Continuous Access Evaluation (CAE)** to obtain an access token that's valid for 24 hours: - -![](./.github/refreshtoazuremanagement.png) - -The returned access token can then be used to authenticate to Azure via the Az PowerShell module: -``` -PS > Connect-AzAccount -AccessToken eyJ0eXAi... -AccountId user@domain.onmicrosoft.com -Tenant 42838115-fbda-497e-b273-30944ff2786e - -Subscription name Tenant ------------------ ------ -Azure subscription 42838115-fbda-497e-b273-30944ff2786e -``` - -### Invoke-CertToAccesstoken - -If you stumble across an enterprise application certificate (.pfx) you can use it to request a valid MS Graph access token. - -> The enterprise application must have the corresponding .crt, .pem, or .cer in the application's certificates & secrets configuration otherwise you'll receive 401 client errors as the .pfx used to sign the client assertion won't be registered with the application - -![](./.github/certtoaccesstoken.png) - -The [Get-Application](https://github.com/mlcsec/Graphpython?tab=readme-ov-file#get-application) command can be used to identified the Graph permissions assigned to the compromised application. - -### Invoke-ESTSCookieToAccessToken - -Obtain an MS Graph token for a selected client (MSTeams, MSEdge, AzurePowershell) from a captured ESTSAUTH or ESTSAUTHPERSISTENT cookie: - -> ESTSAUTH and ESTSAUTHPERSISTENT cookies are often captured via successful Evilginx phishes - -![](./.github/estsauthcookie.png) - -
- -## Post-Auth Enumeration - -### Get-User - -Get all or specific user(s) details. User object can be supplied as user ID or User Principal Name: - -![](./.github/getuser.png) - -### Get-UserPrivileges - -Identifies assigned directory roles, Administrative Units, and Group membership information for the current user of target user: - -![](./.github/getuserprivileges.png) - - -### Get-Application - -Get details relating to the target application and now dynamically resolves the `requiredResourceAccess` attribute which contains Graph API role IDs assigned to the application: - -![](./.github/getapplication-updated.png) - -### List-RecentOneDriveFiles - -List recent OneDrive files belonging to current user: - -![](./.github/listrecentonedrivefiles.png) - -
- -## Post-Auth Exploitation - -### Invite-GuestUser - -Invite a malicious guest user to the target environment: - -![](./.github/inviteguestuser.png) - -### Find-PrivilegedRoleUsers - -Loops through 27 of the most privileged directory roles in Entra and displays any assignments to help identify high-value targets: - -![](./.github/findprivilegedroleusers.png) - -### Assign-PrivilegedRole - -Assign a privileged role via template ID to a user or group and define permission scope: - -![](./.github/assignprivilegedrole.png) - - -### Find-PrivilegedApplications - -Applications can be granted privileged Graph API permissions via 'Grant admin consent...' option for permissions marked 'Admin consent required': - -![](./.github/apiperms.png) - -The `Find-PrivilegedApplications` command helps to identify high-value apps that have already been assigned with privileged permssions: - -1. identifies all enterprise/registered applications within Entra (no default Microsoft ones included) -2. finds the service principal ID for each application -3. enumerates app role assignments for each application service principal -4. cross-references assigned app role IDs and data against .github/graphpermissions.txt -5. displays assigned role name and description - -![](./.github/findprivilegedapps.png) - -### Add-ApplicationPermission - -Adds desired Graph API permission to target application ID. If the role is privileged it will prompt the user to confirm whether to attempt to grant admin consent (via the `beta/directory/consentToApp` endpoint) using the current privileges: - -![](./.github/addapplicationpermission.png) - -> NOTE: if the admin consent grant attempt fails with 400 error the token likely doesn't have the necessary scope/permissions assigned - -The permission update succeeded in this instance and the application API permission is assigned however the admin consent grant obviously failed: - -![](./.github/azureperms1.png) - -Once you obtain the necessary permissions or compromise a privileged token then the `Grant-AppAdminConsent` command can be used to grant admin consent to the role that was added for the target app ID: - -![](./.github/grantappadminconsent.png) - -Verified in the Azure portal: - -![](./.github/azureperms2.png) - -Or you can use the `Get-Application` command: -``` -# graphpython.py --command get-application --id 3d84ebcc-0eef-4f59-ae2a-3fe0e1eb7f51 --token .\token --select requiredResourceAccess - -[*] Get-Application -================================================================================ -requiredResourceAccess: [{'resourceAppId': '00000003-0000-0000-c000-000000000000', 'resourceAccess': [{'id': 'd07a8cc0-3d51-4b77-b3b0-32704d1f69fa', 'type': 'Role'}]}] -================================================================================ -``` -The ID within `resourceAccess` corresponds to `AccessReview.Read.All` that was assigned as confirmed with [Locate-PermissionID](https://github.com/mlcsec/Graphpython/tree/main?tab=readme-ov-file#locate-permissionid): - -![](./.github/locatepermissionid.png) - - -### Spoof-OWAEmailMessage - -Send emails using a compromised user's Outlook mail box. The `--id` parameter can be used to send emails as other users within the organistion. - -> Mail.Send permission REQUIRED for `--id` spoofing - -Options: -1. Compromise and auth as an application service principal with the `Mail.Send` permission assigned then use `Spoof-OWAEmailMessage` -2. Obtain Global Admin/Application Admin/Cloud Admin permissions or assign role to an existing owned user with `Assign-PrivilegedRole` -> then add a password/certifcate and `Mail.Send` permission to an enterprise app -> auth as the app service principal and then use `Spoof-OWAEmailMessage` - -![](./.github/spoofowaemailcommand.png) - -The content of `--email email.txt` for reference: - -``` -Morning, - -Please use following login for the devops portal whilst the main app is down: - -https://malicious/login - -Regards, - -MC -``` -> I've not tested any HTML or similar formatted emails but in theory anything that works in Outlook normally should render correctly if supplied via `--email`. - -Can see the email in the target users Outlook: - -![](./.github/spoofowaemail.png) - - -### Find-DynamicGroups - -Identify groups with dyanmic group membership rules that can be abused: - -![](./.github/finddynamicgroups.png) - -In this instance you could create a new user (`Create-NewUser`) with 'admin' in their UPN to be assigned to the Dynamic Admins group. Or you could update the user's Department property via `Update-UserProperties`. - -### Find-UpdatableGroups - -Identify groups that can be updated with the current user's permissions: - -![](./.github/findupdatablegroups.png) - - -
- -## Post-Auth Intune Enumeration - -### Get-ManagedDevices - -List Intune managed devices then select and display device properties such as name, os version, and username: - -![](./.github/getmanageddevices.png) - -### Get-UserDevices - -Similarly you can identify all Intune managed devices and details belonging to a specific user by supplying their Entra User ID or their User Principal Name using the `--id` flag: - -![](./.github/getuserdevices.png) - -### Get-DeviceConfigurationPolicies - -Identify all created device configuration policies across the Intune environment with colour highlighting for policies with active/no assignments. This includes Antivirus (Defender), Disk encryption (Bitlocker), Firewall (policies and rules), EDR, and Attack Surface Reduction (ASR): - -![](./.github/getdeviceconfigurationpolicies.png) - -In the example above you can see an ASR policy in place which is assigned to all users and devices, however members of group ID `46a6...` are excluded. There is a Bitlocker policy but it hasn't been assigned to any devices. - -
- -## Post-Auth Intune Exploitation - -### Display-AVPolicyRules - -Display the rules for a Microsoft Defender Antivirus policy deployed via Intune: - -![](./.github/displayavpolicyrules.png) - -### Get-ScriptContent - -Get all device management PowerShell script details and content: - -![](./.github/getscriptcontent.png) - -### Backdoor-Script - -Identify a pre-existing device management script you want to add malicious code to and get it's content: - -![](./.github/getscriptcontent-new.png) - -Create a new script locally with the existing content and your malicious code added: - -![](./.github/createdirbackdoored.png) - -Supply the backdoored script to the `--script` flag which will then patch the existing script: - -![](./.github/backdoorscript.png) - - -### Deploy-MaliciousScript - -Create a new script with desired properties (signature check, run as account, etc.): - -![](./.github/deploymaliciousscript.png) - -Verified creation and assignment options in Microsoft Intune admin center: - -![](./.github/deploymaliciousscript-intuneportal.png) - -> NOTE: Deploy-PrinterSettings.ps1 is used for the actual script name instead of whatever is supplied to `--script`. Recommended updating this in graphpython.py to blend in to target env. - -### Add-ExclusionGroupToPolicy - -Instead of updating or removing an AV, ASR, Bitlocker etc. policy you can simply add an exclusion group which will keep any groups members (users/devices) exempt from the policy rules in place. - -Take the following Attack Surface Reduction (ASR) policy: - -![](./.github/addexclusiongroup1.png) - -Currently assigned to all users and devices: - -![](./.github/addexclusiongroup2.png) - -Adding an exclusion group to the ASR policy above: - -![](./.github/addexclusiongroup3.png) - -Verify the changes have been applied and Excluded Group ID has been added to the ASR policy: - -![](./.github/addexclusiongroup4.png) +- Locate-ObjectID +- Locate-PermissionID +- Locate-DirectoryRole
-## Cleanup - -### Remove-GroupMember - -Check the members of the target group: - -![](./.github/getgroupmember.png) - -Remove the group member by first supplying the groupid and object id to the `--id` flag: - -![](./.github/removegroupmember.png) - -Confirm that the object has been removed from the group: - -![](./.github/getgroupmemberafter.png) - -
- -## Locators - -### Locate-ObjectID - -Any unknown object IDs can be easily located: - -![](./.github/locateobjectid.png) - -### Locate-PermissionID - -Graph permission IDs applied to objects can be easily located with detailed explaination of the assigned permissions: - -![](./.github/getpermissionid.png) - - +# Demos + +Please refer to the [Wiki](https://github.com/mlcsec/Graphpython/wiki/Demos) for the following demos + +- [Outsider](https://github.com/mlcsec/Graphpython/wiki/Demos#outsider) + - [Invoke-ReconAsOutsider](https://github.com/mlcsec/Graphpython/wiki/Demos#invoke-reconasoutsider) + - [Invoke-UserEnumerationAsOutsider](https://github.com/mlcsec/Graphpython/wiki/Demos#invoke-userenumerationasoutsider) +- [Authentication](https://github.com/mlcsec/Graphpython/wiki/Demos#authentication) + - [Get-GraphTokens](https://github.com/mlcsec/Graphpython/wiki/Demos#get-graphtokens) + - [Get-TenantID](https://github.com/mlcsec/Graphpython/wiki/Demos#get-tenantid) + - [Invoke-RefreshToAzureManagementToken](https://github.com/mlcsec/Graphpython/wiki/Demos#invoke-refreshtoazuremanagementtoken) + - [Invoke-RefreshToMSGraphToken](https://github.com/mlcsec/Graphpython/wiki/Demos#invoke-refreshtomsgraphtoken) + - [Invoke-CertToAccessToken](https://github.com/mlcsec/Graphpython/wiki/Demos#invoke-certtoaccesstoken) + - [Invoke-ESTSCookieToAccessToken](https://github.com/mlcsec/Graphpython/wiki/Demos#invoke-estscookietoaccesstoken) +- [Post-Auth Enumeration](https://github.com/mlcsec/Graphpython/wiki/Demos#post-auth-enumeration) + - [Get-CurrentUser](https://github.com/mlcsec/Graphpython/wiki/Demos#get-currentuser) + - [Get-User](https://github.com/mlcsec/Graphpython/wiki/Demos#get-user) + - [Get-Group](https://github.com/mlcsec/Graphpython/wiki/Demos#get-group) + - [Get-UserPrivileges](https://github.com/mlcsec/Graphpython/wiki/Demos#get-userprivileges) + - [Get-Domains](https://github.com/mlcsec/Graphpython/wiki/Demos#get-domains) + - [Get-Application](https://github.com/mlcsec/Graphpython/wiki/Demos#get-application) + - [List-RecentOneDriveFiles](https://github.com/mlcsec/Graphpython/wiki/Demos#list-recentonedrivefiles) +- [Post-Auth Exploitation](https://github.com/mlcsec/Graphpython/wiki/Demos#post-auth-exploitation) + - [Invite-GuestUser](https://github.com/mlcsec/Graphpython/wiki/Demos#invite-guestuser) + - [Find-PrivilegedRoleUsers](https://github.com/mlcsec/Graphpython/wiki/Demos#find-privilegedroleusers) + - [Assign-PrivilegedRole](https://github.com/mlcsec/Graphpython/wiki/Demos#assign-privilegedrole) + - [Find-PrivilegedApplications](https://github.com/mlcsec/Graphpython/wiki/Demos#find-privilegedapplications) + - [Add-ApplicationCertificate](https://github.com/mlcsec/Graphpython/wiki/Demos#add-applicationcertificate) + - [Add-ApplicationPermission](https://github.com/mlcsec/Graphpython/wiki/Demos#add-applicationpermission) + - [Spoof-OWAEmailMessage](https://github.com/mlcsec/Graphpython/wiki/Demos#spoof-owaemailmessage) + - [Find-DynamicGroups](https://github.com/mlcsec/Graphpython/wiki/Demos#find-dynamicgroups) + - [Find-UpdatableGroups](https://github.com/mlcsec/Graphpython/wiki/Demos#find-updatablegroups) + - [Invoke-Search](https://github.com/mlcsec/Graphpython/wiki/Demos#invoke-search) +- [Post-Auth Intune Enumeration](https://github.com/mlcsec/Graphpython/wiki/Demos#post-auth-intune-enumeration) + - [Get-ManagedDevices](https://github.com/mlcsec/Graphpython/wiki/Demos#get-manageddevices) + - [Get-UserDevices](https://github.com/mlcsec/Graphpython/wiki/Demos#get-userdevices) + - [Get-DeviceCompliancePolicies](https://github.com/mlcsec/Graphpython/wiki/Demos#get-devicecompliancepolicies) + - [Get-DeviceConfigurationPolicies](https://github.com/mlcsec/Graphpython/wiki/Demos#get-deviceconfigurationpolicies) +- [Post-Auth Intune Exploitation](https://github.com/mlcsec/Graphpython/wiki/Demos#post-auth-intune-exploitation) + - [Display-AVPolicyRules](https://github.com/mlcsec/Graphpython/wiki/Demos#display-avpolicyrules) + - [Get-ScriptContent](https://github.com/mlcsec/Graphpython/wiki/Demos#get-scriptcontent) + - [Backdoor-Script](https://github.com/mlcsec/Graphpython/wiki/Demos#backdoor-script) + - [Deploy-MaliciousScript](https://github.com/mlcsec/Graphpython/wiki/Demos#deploy-maliciousscript) + - [Deploy-MaliciousWebLink](https://github.com/mlcsec/Graphpython/wiki/Demos#deploy-maliciousweblink) + - [Add-ExclusionGroupToPolicy](https://github.com/mlcsec/Graphpython/wiki/Demos#add-exclusiongrouptopolicy) +- [Cleanup](https://github.com/mlcsec/Graphpython/wiki/Demos#cleanup) + - [Remove-GroupMember](https://github.com/mlcsec/Graphpython/wiki/Demos#remove-groupmember) +- [Locators](https://github.com/mlcsec/Graphpython/wiki/Demos#locators) + - [Locate-ObjectID](https://github.com/mlcsec/Graphpython/wiki/Demos#locate-objectid) + - [Locate-PermissionID](https://github.com/mlcsec/Graphpython/wiki/Demos#locate-permissionid) + - [Locate-DirectoryRole](https://github.com/mlcsec/Graphpython/wiki/Demos#locate-directoryrole) +
## Acknowledgements and References - [AADInternals](https://github.com/Gerenios/AADInternals) - [GraphRunner](https://github.com/dafthack/GraphRunner) -- [TokenTactics](https://github.com/rvrsh3ll/TokenTactics) -- [TokenTacticsV2](https://github.com/f-bader/TokenTacticsV2) +- [TokenTactics](https://github.com/rvrsh3ll/TokenTactics) and [TokenTacticsV2](https://github.com/f-bader/TokenTacticsV2) - [https://learn.microsoft.com/en-us/graph/permissions-reference](https://learn.microsoft.com/en-us/graph/permissions-reference) - [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference) - [https://graphpermissions.merill.net/](https://graphpermissions.merill.net/) @@ -617,12 +275,15 @@ Graph permission IDs applied to objects can be easily located with detailed expl ## Todo - Update: - - [ ] `Get-UserPrivileges` - update to flag any privileged directory role app ids - - [ ] `Locate-DirectoryRoleID` - similar to other locator functions but for resolving directory role ids + - [ ] Add nextlink for `get-user` and `get-group` + - [ ] `Get-UserPrivileges` - update to flag any privileged directory role app ids green + - [x] `Locate-DirectoryRoleID` - similar to other locator functions but for resolving directory role ids + - [ ] `Deploy-MaliciousWebLink` - add option to deploy script which copies new windows web app link to all user desktops - New: - [ ] `Deploy-MaliciousWin32Exe/MSI` - use IntuneWinAppUtil.exe to package the EXE/MSI and deploy to devices - check also [here](https://learn.microsoft.com/en-us/graph/api/resources/intune-app-conceptual?view=graph-rest-1.0) for managing iOS, Android, LOB apps etc. via graph - [ ] `Update/Deploy-Policy` - update existing rules for av, asr, etc. policy or deploy a new one with specific groups/devices - - [ ] `Invoke-MFASweep` - port mfa sweep and add to outsider commands + - [ ] `Invoke-MFASweep` - port mfa sweep and add to outsider commands + - [ ] `Invoke-AADIntReconAsGuest` and `Invoke-AADIntUserEnumerationAsGuest` - port from AADInternals - Options: - [ ] --proxy option diff --git a/graphpython/MANIFEST.in b/graphpython/MANIFEST.in deleted file mode 100644 index 3923482..0000000 --- a/graphpython/MANIFEST.in +++ /dev/null @@ -1 +0,0 @@ -include graphpython/commands/graphpermissions.txt \ No newline at end of file diff --git a/setup.py b/setup.py index c55b152..689afb6 100644 --- a/setup.py +++ b/setup.py @@ -10,7 +10,7 @@ requirements = [x.strip() for x in f.readlines()] setup( - name="graphpython", + name="Graphpython", version="1.0", packages=find_packages(), author="mlcsec", @@ -32,11 +32,11 @@ python_requires='>=3.6', entry_points={ "console_scripts": [ - "graphpython=graphpython.__main__:main", + "Graphpython=Graphpython.__main__:main", ], }, include_package_data=True, package_data={ - 'graphpython': ['commands/graphpermissions.txt'], + 'Graphpython': ['commands/graphpermissions.txt', 'commands/directoryroles.txt'] }, ) \ No newline at end of file