Post-Exploitation

Pillaging O365

GraphRunner is a post-exploitation toolkit for the Microsoft Graph API. It features a wide variety of lateral movement recon, resource pillaging, and privilege escalation capabilities. Among its best features are the ability to pillage SharePoint and OneDrive for sensitive information. There's a few key tactics that should assist your post-exploitation activities:

1. Search all available resources for plaintext credentials (password,login,etc)

2. Search all available resources for Azure resource references (azure,blob,azurewebsites,etc)

3. Search all available resources for interesting file types (.ps1,.cmd,etc)

4. Locate the IT, Development, or DevOps personnel/groups. Look for publicly accessible SharePoint content from these individuals.

# Authenticate
Get-GraphTokens

# Pillage
Invoke-SearchSharePointAndOneDrive -SearchTerm Password -Tokens $tokens
Invoke-SearchTeams -SearchTerm Password -Tokens $tokens
Invoke-SearchMailbox -Tokens $tokens -SearchTerm "password" -MessageCount 40