Skip to content

Usage

Jump to bottom
mc edited this page Jul 24, 2024 · 22 revisions

This page documents the available arguments and switches for Graphpython.

usage: Graphpython [-h] [--command COMMAND] [--list-commands] [--token TOKEN] [--estsauthcookie ESTSAUTHCOOKIE] [--use-cae] [--cert CERT]
                   [--domain DOMAIN] [--tenant TENANT] [--username USERNAME] [--secret SECRET] [--id ID] [--select SELECT] [--query QUERY]
                   [--search SEARCH] [--entity {driveItem,message,chatMessage,site,event}] [--device {Mac,Windows,AndroidMobile,iPhone}]
                   [--browser {Android,IE,Chrome,Firefox,Edge,Safari}] [--only-return-cookies]
                   [--mail-folder {Allitems,inbox,archive,drafts,sentitems,deleteditems,recoverableitemsdeletions}] [--top TOP]
                   [--script SCRIPT] [--email EMAIL]

General

  • -h, --help - Show the help message and exit
Graphpython -h

  • --command COMMAND - specify the command to execute
Graphpython --command get-currentuser --token token

  • --list-commands - list all available commands
Graphpython --list-commands

Authentication

  • --token TOKEN - provide a Microsoft Graph access token or refresh token for FOCI abuse
    • can either supply the token raw or from a file
Graphpython --command get-user --token eyJ0...
Graphpython --command find-privilegedapplications --token token.txt 
Graphpython --command invoke-refreshtoazuremanagementtoken --token <refreshtoken> --tenant <tenantid>

  • --estsauthcookie ESTSAUTHCOOKIE - supply 'ESTSAuth' or 'ESTSAuthPersistent' cookie for Invoke-ESTSCookieToAccessToken
Graphpython --command invoke-estscookietoaccesstoken ---estsauthcookie ESTSAUTHPERSISTENT=... --tenant <tenantid> --use-cae
Graphpython --command invoke-estscookietoaccesstoken ---estsauthcookie ESTSAUTH=... --tenant <tenantid> --use-cae

  • --use-cae - flag to use Continuous Access Evaluation (CAE) which adds 'cp1' as a client claim to obtain an access token valid for 24 hours. Can be used with the following authentication commands:
    • Invoke-RefreshToMSGraphToken
    • Invoke-RefreshToAzureManagementToken
    • Invoke-RefreshToMSTeamsToken
    • Invoke-RefreshToOfficeAppsToken
    • Invoke-RefreshToOfficeManagementToken
    • Invoke-RefreshToOutlookToken
    • Invoke-RefreshToSubstrateToken
    • Invoke-RefreshToYammerToken
    • Invoke-RefreshToOneDriveToken
    • Invoke-RefreshToSharePointToken
    • Invoke-ESTSCookieToAccessToken
Graphpython --command <above> --token <refresh> --tenant <tenantid> --use-cae

  • --username USERNAME - provide an email or a file containing user emails for outsider user enumeration
Graphpython --command invoke-userenumerationasoutsider --username users@company.com/users.txt

  • --cert CERT - path to an X509Certificate
    • .pfx for Invoke-CertToAccessToken
    • .crt, .cer, or .pem for Add-ApplicationCertificate
Graphpython --command invoke-certtoaccesstoken --cert certificate.pfx --id <appid> --tenant <tenantid> 
Graphpython --command add-applicationcertificate --cert certificate.crt --id <appobjectid> --token token

  • --domain DOMAIN - specify the target domain
Graphpython --command get-tenantid --domain company.com
Graphpython --command invoke-reconasoutsider --domain company.com

  • --tenant TENANT - specify the target tenant ID. Used for more authentication/refresh commands
Graphpython --commad invoke-refreshtomsgraphtoken --tenant <tenantid> --token <refresh> --use-cae

  • --secret SECRET - enterprise application secretText value for generating access token with Invoke-AppSecretToAccessToken. Can also add and then use an application secret returned from App-ApplicationSecret
  Graphpython --command invoke-appsecrettoaccesstoken --secret <secretText> --id <appid> --token <token>

Target

  • --id ID - ID of the target object. Multiple uses and can be object, app, user, group, ... ID. User Principal Name is also supported for user based commands
Graphpython --command get-application --id <appid> --token token
Graphpython --command get-user --id user.name@company.com --token token

  • --select SELECT - fields to select and filter from the response for refining heavy output
Graphpython --command get-user --select id,displayName,userPrincipalName --token <token>
Graphpython --command list-recentonedrivefiles --select name,webUrl --token <token>

  • --query QUERY - raw API query URL (GET only) for use with Invoke-CustomQuery
Graphpython --command invoke-customquery --query https://graph.microsoft.com/v1.0/users --token <token>

Search

Only used with Invoke-Search

  • --search SEARCH - search string for querying
Graphpython --command invoke-search --search "password" --entity driveItem --token <token>

  • --entity {driveItem,message,chatMessage,site,event} - specify the type of entity to search for:
    • driveItem: OneDrive items
    • message: Mail messages
    • chatMessage: Teams chat messages
    • site: SharePoint sites
    • event: Calendar events
Graphpython --command invoke-search --search "credentials" --entity message --token <token>

User-Agents

  • --device {Mac,Windows,AndroidMobile,iPhone} - specify the device type for User-Agent forging
Graphpython --command get-userproperties --device Mac --browser Safari --token <token>

  • --browser {Android,IE,Chrome,Firefox,Edge,Safari} - specify the browser type for User-Agent forging
Graphpython --command get-group --browser Edge --device Windows --token <token>

  • --only-return-cookies - only return cookies from the request (used with Open-OWAMailboxInBrowser command)
Graphpython --only-return-cookies

Mail

Only used with Dump-OWAMailbox

  • --mail-folder FOLDER - specify the mail folder to dump using the Dump-OWAMailbox command
    • Allitems
    • inbox
    • archive
    • drafts
    • sentitems
    • deleteditems
    • recoverableitemsdeletions
# displays top 10 emails
Graphpython --command dump-owamailbox --mail-folder inbox --token token --top 10 
# dump target user mailbox:
Graphpython --command dump-owamailbox --mail-folder inbox --id <userid/upn> --token <token>

  • --top TOP - Number of messages to retrieve (integer) from the mail folder
# displays top 10 emails
Graphpython --command dump-owamailbox --mail-folder inbox --top 10 --token <token>
Graphpython --command dump-owamailbox --mail-folder inbox --id <userid/upn> --top 20 --token <token>

Payloads

  • --script SCRIPT - File containing the script content for Deploy-MaliciousScript or Backdoor-Script
Graphpython --command deploy-maliciousscript --script malicious.ps1 --token <intunetoken>

  • --email EMAIL - File containing OWA email message body content for Spoof-OWAEmailMessage
Graphpython --command spoof-owaemailmessage [--id <userid to spoof>] --email email-body.txt --token <token>

Clone this wiki locally