Introduction to GraphRunner#

As on-premise Active Directory environments migrate to the cloud, the perimeter has shifted to Identity. For Red Teamers and attackers alike, the Microsoft Graph API has become the new command line for the cloud—a massive, complex interface that controls access to Microsoft 365, Windows, and Enterprise Mobility + Security.

Enter GraphRunner. Developed by Beau Bullock and Steve Borosh of Black Hills Information Security, GraphRunner is a post-exploitation toolset designed to interact with users and data within a Microsoft Entra ID (formerly Azure AD) tenant. It simplifies the complexity of the Graph API, allowing testers to easily manage tokens, enumerate data, and persist access.

This guide breaks down GraphRunner’s capabilities and provides actionable detection strategies for Blue Teams.

Phase 1: Authentication & Access#

Before an attacker can move laterally, they need a valid token. GraphRunner simplifies the OAuth flow effectively.

The Tools#

• Get-GraphTokens: Utilizes the device-code login flow. This is a popular phishing technique where a user is tricked into entering a code on microsoft.com/devicelogin, granting the attacker a Refresh Token and Access Token.
• Get-AzureAppTokens: Employs the OAuth flow to obtain tokens via Azure AD applications.
• Token Management: Modules like Invoke-RefreshGraphTokens and Invoke-AutoTokenRefresh keep the session alive by automatically refreshing rolling tokens.

🛡️ Detection Strategy#

Detection here relies heavily on Entra ID Sign-In Logs.

• Device Code Phishing: Look for authentication failures followed by successes using the “Device Code” protocol, specifically from unexpected geolocations or IP addresses.
• Service Principals: Monitor Service Principal sign-ins for anomalies (e.g., accessing the environment at odd hours or from non-compliant devices).
• Logging Gap: Be aware that token refresh actions (using a refresh token to get a new access token) often have inconsistent logging, making detection of the maintenance phase difficult.

Phase 2: Reconnaissance & Enumeration#

Once authenticated, the goal shifts to situational awareness. GraphRunner automates the discovery of permissions, users, and interesting data.

The Tools#

• Invoke-GraphRecon: A heavy lifter that pulls tenant information, including application permissions, user settings, and conditional access policies.
• Invoke-GraphRunner: The “loud” button. It automates multiple recon modules in sequence to create a comprehensive snapshot of the tenant.
• Invoke-GraphOpenInboxFinder: Checks if the current user has permission to read other users’ inboxes—a common misconfiguration in delegated permissions.

🛡️ Detection Strategy#

To catch this, you need MicrosoftGraphActivityLogs enabled (it is not always on by default).

• Volume Analysis: Invoke-GraphRunner generates a massive spike in API calls. Alert on a single user identity querying a high volume of distinct endpoints (e.g., users, groups, applications) in a short timeframe.
• Specific API Calls: Monitor for unusual GET requests to distinct mail endpoints if the user does not have a business justification for mailbox delegation.

Phase 3: Persistence#

Persistence in the cloud often looks different than on-premise. Instead of dropping binaries, attackers modify identity objects.

The Tools#

• Invoke-InjectOAuthApp: This automates the deployment of a new App Registration (Service Principal) in the tenant. It attempts to assign permissions without triggering the need for Global Admin consent, creating a permanent backdoor.
• Invoke-AddGroupMember: Surreptitiously adds a user (controlled by the attacker) to an existing Entra ID group.

🛡️ Detection Strategy#

• Azure Audit Logs: Alert immediately on the creation of new Applications or Service Principals by non-admin users.
• Role Changes: Monitor both Entra ID Audit Logs and Unified Audit Logs for Add member to group events, specifically focusing on sensitive groups (e.g., Helpdesk Admins, Privileged Auth Admins).

Phase 4: Data Exfiltration#

The final stage is looting the environment for sensitive data. GraphRunner targets the three pillars of M365 data: Exchange, SharePoint/OneDrive, and Teams.

The Tools#

• Invoke-SearchSharePointAndOneDrive: Scans all accessible sites and drives for keywords (e.g., “password”, “contract”, “salary”).
• Invoke-SearchMailbox & Invoke-SearchTeams: Searches emails and chat history for specific terms and exports the results.
• Invoke-ImmersiveFileReader: A stealthy module that attempts to bypass certain restrictions by opening files using the “Immersive Reader” API. notably, this does not always generate standard read events in Graph logs.

🛡️ Detection Strategy#

• Unified Audit Log: While Graph logs might miss the Immersive Reader, the Unified Audit Log (UAL) should capture an Accessed file operation.
• Download Spikes: Monitor for FileDownloaded events in SharePoint/OneDrive that exceed standard user behavior thresholds.
• Mailbox Access: Alert on MailItemsAccessed operations where the OperationCount is unusually high, indicating a programmatic scrape rather than human browsing.

Conclusion#

GraphRunner is a potent reminder that the Microsoft Graph API offers as much power to attackers as it does to administrators. For Red Teams, it provides a structured methodology to assess Entra ID security. For Blue Teams, it highlights the critical need for advanced logging configurations.

Defenders must move beyond default logging. Enabling MicrosoftGraphActivityLogs, ingesting them into a SIEM, and utilizing Kusto Query Language (KQL) to hunt for IoCs is no longer optional—it is a requirement for securing a modern cloud tenant.

References & Further Reading#

For specific KQL hunting queries and a deeper technical breakdown, refer to the original research by Invictus IR:

• A Defender’s Guide to GraphRunner — Part I
• A Defender’s Guide to GraphRunner — Part II
• GraphRunner GitHub Repository