Home
GraphRunner is a post-exploitation toolset for working with a Microsoft Entra ID (Azure AD) account. It contains various tools for accessing and manipulating data within the tenant.
There are three separate pieces to GraphRunner:
A PowerShell script containing a number of modules for post-compromise recon, persistence, and pillaging of an account.
An HTML graphic user interface to be used with an access token. Provides various modules around enumeration and pillaging data from services such as Outlook, SharePoint, OneDrive, and Teams.
A basic PHP script that can be used to capture OAuth authorization codes during an OAuth consent flow and a Python script to automatically complete the flow to obtain access tokens.
A few examples of where GraphRunner may assist in identifying and exploiting certain scenarios.