GraphRunner icon indicating copy to clipboard operation
GraphRunner copied to clipboard
verified publisher icon dafthack

Update GraphRunner to include MFA bypass

Open Pri3st opened this issue 1 year ago • 0 comments

Added a -CustomUserAgent parameter to the Get-GraphTokens function. This essentially allows the bypass of MFA enablement gaps related to Device Platforms like in the image below. Screenshot (27)

Using an out-of-the-ordinary user agent, like Yahoo! Slurp bypasses the interaction_required warning when the -Device parameter fails.

Bypassed CAP Policy Example
Applies to Including: Users: <USER>
Applications Including: All applications
On platforms Including: Android, iOS, Windows, Windows_Phone, macOS, Linux
Using clients Including: Legacy Clients, Mobile and Desktop clients, Exchange ActiveSync, Browser
Controls Requirements (any): Mfa
Session controls SignInFrequency

Moreover, this argument could also contribute to OPSEC. If one knows the devices that a user utilizes to perform their everyday tasks (e.g. through OSINT), they can use the corresponding User Agent to avoid detection through out-of-the-ordinary User Agents in authentication logs.

The bypass has been successfully tested. PoC can be provided if needed.

Pri3st avatar Aug 30 '24 18:08 Pri3st