TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Introducing GraphRunner: A Post-Exploitation Toolset for Microsoft 365

Kassie Kimball · 2023-10-19 · Read original ↗

ATT&CK techniques detected

19 predictions
T1114.002Remote Email Collection
89%
“- graphopeninboxfinder to find other mailboxes that have been shared with you. - use get - inbox to pull the latest messages from other inboxes you can read. pillage sharepoint, teams, and email - leverage the pillage modules to identify sensitive data sent in email ( invoke - se…”
T1528Steal Application Access Token
66%
“##point, onedrive, and teams. - phpredirector - a basic php script that can be used to capture oauth authorization codes during an oauth consent flow and a python script to automatically complete the flow to obtain access tokens. graphrunner powershell graphrunner includes a powe…”
T1078.004Cloud Accounts
64%
“it expires ( default is 1 hour from creation time ) persistence to sharepoint / onedrive files via guest user access if external sharing for a site is set to allow “ anyone ” or “ new and existing guests ” access via external sharing, then it may be possible to leverage a guest a…”
T1114.002Remote Email Collection
58%
“use the invoke - addgroupmember module, you will need both the group id and the member id of the user you want to add to the group. the group id is output with each group via the get - securitygroups module and the get - updatablegroups module. the user id for your current user c…”
T1525Implant Internal Image
58%
“displayed in the terminal ( in green above ). this url is custom and tied to the specific app registration, including all of the requested scope items. when a user visits this url, they will be asked to consent to the permissions set for the app. a few years ago, this was leverag…”
T1528Steal Application Access Token
57%
“displayed in the terminal ( in green above ). this url is custom and tied to the specific app registration, including all of the requested scope items. when a user visits this url, they will be asked to consent to the permissions set for the app. a few years ago, this was leverag…”
T1078.004Cloud Accounts
53%
“. as an administrator, the graph api is a very powerful tool for carrying out tasks in azure. but what about as a normal user? during penetration tests, red team engagements, cloud assessments, and other offensive security assessments, there are often times where we obtain access…”
T1098.007Additional Local or Domain Groups
48%
“ability to update groups in the tenant. it will gather all groups from the tenant and check them one by one to determine if they are modifiable. if you find modifiable groups, that means that your current user has the ability to add members to that group, including yourself, othe…”
T1525Implant Internal Image
42%
“id and secret ) to complete the flow. recon & enumeration graphrunner includes a number of reconnaissance modules to determine configuration settings, list objects, and identify attack paths in a tenant. the invoke - graphrecon module gathers general information about the tenant …”
T1525Implant Internal Image
42%
“##point, onedrive, and teams. - phpredirector - a basic php script that can be used to capture oauth authorization codes during an oauth consent flow and a python script to automatically complete the flow to obtain access tokens. graphrunner powershell graphrunner includes a powe…”
T1525Implant Internal Image
41%
“gain access - search all user attributes for specific terms - leverage a gui built on the graph api to pillage a user ’ s account - dump conditional access policies - dump app registrations and external apps including consent and scope to identify potentially malicious apps - too…”
T1525Implant Internal Image
39%
“tied to the application to access the user ’ s account. if the compromised user changes their password, the app still retains access to their account. if all sessions are killed for the compromised user, we still have access until the access token expires ( default is 1 hour ) to…”
T1528Steal Application Access Token
38%
“##tokens – complete oauth flow as an app to obtain access tokens - invoke - refreshazureapptokens – use a refresh token and app credentials to refresh a token - invoke - autotokenrefresh – refresh tokens at an interval recon & enumeration modules - invoke - graphrecon – performs …”
T1098.002Additional Email Delegate Permissions
36%
“guest user to the tenant with an email address that contains “ admin ” in it. upon being added as a guest to the tenant, the account with “ admin ” in the name would automatically get added to the dynamic group. graphrunner helps in finding dynamic groups with the get - dynamicgr…”
T1098.003Additional Cloud Roles
36%
“ability to update groups in the tenant. it will gather all groups from the tenant and check them one by one to determine if they are modifiable. if you find modifiable groups, that means that your current user has the ability to add members to that group, including yourself, othe…”
T1098.003Additional Cloud Roles
34%
“and automatically complete the flow using the service principal ’ s credentials. upon successfully completing the flow, it will output a new set of access tokens, as well as write them to the global $ apptokens variable in the terminal. now when you run graphrunner modules, you c…”
T1525Implant Internal Image
34%
“determine what actions the current user is allowed to do. this is useful for discovering what unique actions your user is able to perform in the tenant. additionally, when we get into the group editing section later in the blog post, this method is useful for helping determine wh…”
T1078.004Cloud Accounts
33%
“real - world engagements as well as r & d sessions, a toolset began to be developed internally at bhis. in this blog post, you will find a thorough description of each piece of the toolset we are releasing. additionally, we present several attack path scenarios to demonstrate sit…”
T1528Steal Application Access Token
32%
“determine what actions the current user is allowed to do. this is useful for discovering what unique actions your user is able to perform in the tenant. additionally, when we get into the group editing section later in the blog post, this method is useful for helping determine wh…”

Summary

By Beau Bullock & Steve Borosh TL;DR We built a post-compromise toolset called GraphRunner for interacting with the Microsoft Graph API. It provides various tools for performing reconnaissance, persistence, and […]

The post Introducing GraphRunner: A Post-Exploitation Toolset for Microsoft 365 appeared first on Black Hills Information Security, Inc..