Graphpython: The Swiss Army Knife for Microsoft Graph Exploitation

Graphpython

Graphpython is a modular Python tool for cross-platform Microsoft Graph API enumeration and exploitation. It builds upon the capabilities of AADInternals (Killchain.ps1), GraphRunner, and TokenTactics(V2) to provide a comprehensive solution for interacting with the Microsoft Graph API for red team and cloud assumed breach operations.

Graphpython covers external reconnaissance, authentication/token manipulation, enumeration, and post-exploitation of various Microsoft services, including Entra ID (Azure AD), Office 365 (Outlook, SharePoint, OneDrive, Teams), and Intune (Endpoint Management).

• Invoke-ReconAsOutsider
• Invoke-UserEnumerationAsOutsider

• Get-GraphTokens
• Get-TenantID
• Get-TokenScope
• Decode-AccessToken
• Invoke-RefreshToMSGraphToken
• Invoke-RefreshToAzureManagementToken
• Invoke-RefreshToVaultToken
• Invoke-RefreshToMSTeamsToken
• Invoke-RefreshToOfficeAppsToken
• Invoke-RefreshToOfficeManagementToken
• Invoke-RefreshToOutlookToken
• Invoke-RefreshToSubstrateToken
• Invoke-RefreshToYammerToken
• Invoke-RefreshToIntuneEnrollmentToken
• Invoke-RefreshToOneDriveToken
• Invoke-RefreshToSharePointToken
• Invoke-CertToAccessToken
• Invoke-ESTSCookieToAccessToken
• Invoke-AppSecretToAccessToken
• New-SignedJWT

• Get-CurrentUser
• Get-CurrentUserActivity
• Get-OrgInfo
• Get-Domains
• Get-User
• Get-UserProperties
• Get-UserGroupMembership
• Get-UserTransitiveGroupMembership
• Get-Group
• Get-GroupMember
• Get-AppRoleAssignments
• Get-ConditionalAccessPolicy
• Get-Application
• Get-AppServicePrincipal
• Get-ServicePrincipal
• Get-ServicePrincipalAppRoleAssignments
• Get-PersonalContacts
• Get-CrossTenantAccessPolicy
• Get-PartnerCrossTenantAccessPolicy
• Get-UserChatMessages
• Get-AdministrativeUnitMember
• Get-OneDriveFiles
• Get-UserPermissionGrants
• Get-oauth2PermissionGrants
• Get-Messages
• Get-TemporaryAccessPassword
• Get-Password
• List-AuthMethods
• List-DirectoryRoles
• List-Notebooks
• List-ConditionalAccessPolicies
• List-ConditionalAuthenticationContexts
• List-ConditionalNamedLocations
• List-SharePointRoot
• List-SharePointSites
• List-SharePointURLs
• List-ExternalConnections
• List-Applications
• List-ServicePrincipals
• List-Tenants
• List-JoinedTeams
• List-Chats
• List-ChatMessages
• List-Devices
• List-AdministrativeUnits
• List-OneDrives
• List-RecentOneDriveFiles
• List-SharedOneDriveFiles
• List-OneDriveURLs

• Invoke-CustomQuery
• Invoke-Search
• Find-PrivilegedRoleUsers
• Find-PrivilegedApplications
• Find-UpdatableGroups
• Find-SecurityGroups
• Find-DynamicGroups
• Update-UserPassword
• Update-UserProperties
• Add-UserTAP
• Add-GroupMember
• Add-ApplicationPassword
• Add-ApplicationCertificate
• Add-ApplicationPermission
• Grant-AppAdminConsent
• Create-Application
• Create-NewUser
• Invite-GuestUser
• Assign-PrivilegedRole
• Open-OWAMailboxInBrowser
• Dump-OWAMailbox
• Spoof-OWAEmailMessage

• Get-ManagedDevices
• Get-UserDevices
• Get-CAPs
• Get-DeviceCategories
• Get-DeviceComplianceSummary
• Get-DeviceConfigurations
• Get-DeviceConfigurationPolicySettings
• Get-DeviceEnrollmentConfigurations
• Get-DeviceGroupPolicyConfigurations
• Get-DeviceGroupPolicyDefinition
• Get-RoleDefinitions
• Get-RoleAssignments
• Get-DeviceCompliancePolicies
• Get-DeviceConfigurationPolicies

• Dump-DeviceManagementScripts
• Dump-WindowsApps
• Dump-iOSApps
• Dump-macOSApps
• Dump-AndroidApps
• Get-ScriptContent
• Backdoor-Script
• Deploy-MaliciousScript
• Deploy-MaliciousWebLink
• Display-AVPolicyRules
• Display-ASRPolicyRules
• Display-DiskEncryptionPolicyRules
• Display-FirewallConfigPolicyRules
• Display-FirewallRulePolicyRules
• Display-EDRPolicyRules
• Display-LAPSAccountProtectionPolicyRules
• Display-UserGroupAccountProtectionPolicyRules
• Add-ExclusionGroupToPolicy
• Reboot-Device
• Lock-Device
• Shutdown-Device
• Update-DeviceConfig

• Delete-User
• Delete-Group
• Remove-GroupMember
• Delete-Application
• Delete-Device
• Wipe-Device
• Retire-Device

• Locate-ObjectID
• Locate-PermissionID

Install & Use