GraphRunner Activity Detection: Hackers Apply a Post-Exploitation Toolset to Abuse Microsoft 365 Default Configurations

Microsoft 365 (M365) is leveraged by over a million global companies, which can pose severe threats to the customers relying on this popular software in case of compromise. Since it possesses a set of default configurations, adversaries can set their eyes on them and exploit the latter exposing affected users to significant security risks, which fuels the need for ultra-responsiveness from defenders. To help security teams detect incidents and security violations in one of M365 services, namely the O365 platform, SOC Prime provides a relevant package for security monitoring ready for deployment on the Elastic stack. 

Cyber defenders have recently identified a novel post-exploitation toolset called GraphRunner, which can be leveraged by attackers to exploit certain default M365 configurations.

Detecting GraphRunner: Post-Exploitation Toolset for M365

With millions of businesses relying on Microsoft in their daily operations, cyber defenders need to react timely and promptly to possible attacks involving M365 exploitation. To streamline the threat investigation and help security practitioners proactively identify related malicious activity, SOC Prime Platform offers a set of Sigma rules aimed at GraphRunner detection. 

All the rules are compatible with 28 SIEM, EDR, XDR, and Data Lake security solutions, mapped to MITRE ATT&CK, and enriched with dedicated threat intel context along with triage recommendations. Hit the Explore Detections button below and dive into the entire detection stack linked to the GraphRunner toolset.

Explore Detections

GraphRunner’s Features Description

Beau Bullock and Steve Borosh from Black Hills Information Security have provided an in-depth overview of GraphRunner, a new post-compromise toolset for interacting with the Microsoft Graph API that can be applied by adversaries to manipulate M365 for malicious purposes. GraphRunner was developed with the aim of identifying and exploiting typical security vulnerabilities within the Microsoft 365 environment. GraphRunner offers functionalities that can enable hackers to move laterally, steal data, perform privilege escalation and persistence within impacted M365 accounts. 

GraphRunner PowerShell script comprises the majority of modules responsible for multiple tasks that, once combined, can cause numerous attack paths. The major tool capabilities that can be weaponized for offensive purposes include browsing and exporting email, deploying malware, applying a Graph API-based GUI to exfiltrate data from a user’s account, disabling conditional access policies, retrieving app registrations and external applications to detect potentially harmful apps, and constantly updating the token package. Moreover, GraphRunner operates independently, without relying on external libraries or modules, and is compatible with both Windows and Linux OS. 

Group-based attacks can be considered one of the most intriguing GraphRunner’s capabilities. For instance, the tool can be used to change group memberships, even without administrative privileges by offering modules that exploit the default behavior of Microsoft 365 groups, thus allowing any organization member to join them. When a team is formed, it triggers the automatic creation of a Microsoft 365 group, leading to the generation of a SharePoint site, mailbox, or Teams channel. One more compelling attack vector involves creating groups to attempt watering hole-style attacks. In this use case, a malicious actor would generate a group resembling an existing one but include their own user within it. GraphRunner also contains modules for inviting guest users along with adding group members. 

GraphRunner incorporates various data extraction modules that enable attackers to discover sensitive information after compromising a Microsoft 365 account. These modules are designed for searching and retrieving data from email, SharePoint, OneDrive, and Teams. As for access maintenance, GraphRunner includes several modules that can assist in setting diverse levels of persistence within a tenant.

With the expanding attack surface for cloud environments, such tools as GraphRunner are expected to evolve accordingly and might be actively exploited by adversaries. Rely on SOC Prime’s Threat Detection Marketplace to equip your team with curated detection algorithms to effectively thwart emerging threats compromising widespread software products and timely remediate risks.

The post GraphRunner Activity Detection: Hackers Apply a Post-Exploitation Toolset to Abuse Microsoft 365 Default Configurations appeared first on SOC Prime.