GraphRunner Cheatsheet
Summary
GraphRunner is a collection of PowerShell modules designed for post-exploitation activities specifically targeting the Microsoft Graph API. It offers functionalities for enumeration, data exfiltration, and establishing persistence within compromised environments.
IFF Assessment
FOE
This tool aids attackers in post-exploitation activities, which is detrimental to defenders.
Defender Context
Defenders should be aware of tools like GraphRunner that facilitate post-exploitation by leveraging legitimate APIs like Microsoft Graph. Monitoring for unusual Graph API activity, especially from elevated service accounts or compromised endpoints, is crucial. Understanding the capabilities of such tools can help in developing more effective detection and response strategies.