I'm quite in a pickle with Graphrunner right now. (CTF)
I was asking myself if it was possible to run GraphRunner modules like Get-AzureADUsers without previously using Get-GraphTokens. I know Get-AzureADUsers has a -Tokens argument that works when using the $tokens global variable created automatically with the Get-GraphTokens method, and I've tried hardcoding this global variable with the exact format the device code authentication was creating, but it seems like the tokens (access, refresh and id tokens) I am using does not work like the tokens I get from the normal authentication method for GraphRunner (Get-GraphTokens) does.
I previously got the tokens from EvilGinx and a puppeteer script with a post request containing the cookies stolen from my victim.
Does someone know a way to link my tools : EvilGinx (microsoft 365 phishlet) -> Script using cookies to get access/refresh/id tokens -> GraphRunner to get graphrunner to work without having to use a device code ? (this is for a capture the flag) :)
Yes, GraphRunner can work without Get-GraphTokens if you manually supply a valid $tokens object containing access_token, refresh_token, and id_token with proper Microsoft Graph scopes. However, stolen tokens from EvilGinx often lack the correct format or permissions, causing GraphRunner functions to fail.
access_token obtained through a script that leverages session cookies captured by EvilGinxSample:
# Manually set the tokens (access, refresh, and id tokens)
$tokens = @{
"access_token" = "your_access_token_here" # Replace with actual access token
"refresh_token" = "your_refresh_token_here" # Replace with actual refresh token
"id_token" = "your_id_token_here" # Replace with actual ID token
}
# Use GraphRunner to perform actions, e.g., get Azure AD users
Get-AzureADUsers -Tokens $tokens