Updates

Graphpython v1.0

New commands:

• Backdoor-Script: Patches an existing device management script with malicious code
• Deploy-MaliciousWeblink: Deploys a malicious Windows web link app to all devices
• Add-ApplicationCertificate: Similar to Add-ApplicationPassword except adds a x509 cert (public key) to the compromised app (can then use the .pfx to auth as the app service principal)
• Update-UserProperties: Updates specific user properties, potentially allowing privileged access via dynamic groups
• Add-ApplicationPermission: Assigns supplied permission to target or compromised application
• Grant-AppAdminConsent: Grants admin consent to assigned permissions (if necessary)
• Find-PrivilegedApplications: Identifies high-value enterprise applications with privileged permissions assigned
• Display-FirewallConfigPolicyRules: Identifies Intune endpoint security firewall configuration policy rules
• Dump-Win32Apps: Dumps all or specific Windows applications that have been deployed via Intune
• Dump-iOSApps: Dumps all or specific iOS applications that have been deployed via Intune
• Dump-macOSApps: Dumps all or specific macOS applications that have been deployed via Intune
• Dump-AndroidApps: Dumps all or specific Android applications that have been deployed via Intune
• Locate-PermissionID: Searcher for the MS Graph API permissions reference
• Locate-ObjectID: Identifies and displays information relating to unknown object IDs (user, group, app, device, SP)
• Update-DeviceConfig: Updates writable device configuration properties in Intune

Updated commands:

• Spoof-OWAEmailMessage: Added the --email option for supplying formatted email body content
• Deploy-MaliciousScript: RunAsAccount, EnforceSignatureCheck, and more script assignment options added to customise deployment
• List-Applications & Get-Application: Now dynamically resolve Graph API app role IDs from the RequiredResourceAccess field
• Invoke-Search: Now highlights matched search terms in output