Skip to content

Instantly share code, notes, and snippets.

View invictus-korstiaan's full-sized avatar

Invictus-Korstiaan invictus-korstiaan

4 followers · 0 following
View GitHub Profile
@invictus-korstiaan
invictus-korstiaan / mailbox_auditing_premium
Last active May 31, 2024 11:35
# Get all mailboxes
$mailboxes = Get-Mailbox -ResultSize Unlimited
# Iterate through each mailbox and set the default audit set
foreach ($mailbox in $mailboxes) {
Set-Mailbox -Identity $mailbox.Identity -DefaultAuditSet Admin,Delegate,Owner
}
# Disconnect from Exchange Online
Disconnect-ExchangeOnline -Confirm:$false
@invictus-korstiaan
invictus-korstiaan / connect-graph-with-secret
Last active May 8, 2024 07:49
Connect to Graph APP
$ClientId = "ID-of-your-app"
$TenantId = "ID-of-your-tenant"
$ClientSecret = "Secret-of-your-app”
# Convert the client secret to a secure string
$ClientSecretPass = ConvertTo-SecureString -String $ClientSecret -AsPlainText -Force
# Create a credential object using the client ID and secure string
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ClientId, $ClientSecretPass
# Connect to Graph
Connect-MgGraph -TenantId $tenantId -ClientSecretCredential $ClientSecretCredential
@invictus-korstiaan
invictus-korstiaan / Get-AzureAppTokens.csv
Created October 30, 2023 11:54
Get-AzureAppTokens
Log source Indicator
AADServicePrincipalSignInLogs ServicePrincipalName == name-of-abused-SP
AADServicePrincipalSignInLogs AppId == ID-of-abused-app
@invictus-korstiaan
invictus-korstiaan / AllEvidence-GraphRunner.csv
Last active December 4, 2023 11:02
AllEvidence
Module Log Source Indicator
Get-GraphToken Entra ID SignInLogs AuthenticationProtocol == deviceCode
Get-GraphToken Entra ID SignInLogs ResourceDisplayName == Microsoft Graph
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/search/query
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users/
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users/{ID}
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/organization
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals(appId='{AppID}')/appRoleAssignedTo
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/applications
@invictus-korstiaan
invictus-korstiaan / Indicators.csv
Last active December 4, 2023 11:00
Indicators
Module Detection Source
Get-GraphTokens Yes Unified Audit Log & Sign-In Logs
Invoke-RefreshGraphTokens No n/a
Get-AzureAppTokens Yes Sign-In Logs
Invoke-RefreshAzureAppTokens No n/a
Invoke-AutoTokenRefresh No n/a
Invoke-GraphRecon Yes MicrosoftGraphActivityLogs
Invoke-GraphRunner Yes MicrosoftGraphActivityLogs
Invoke-DumpCAPS No n/a
Invoke-DumpApps Yes MicrosoftGraphActivityLogs
@invictus-korstiaan
invictus-korstiaan / Invoke-DumpApps.csv
Created October 27, 2023 13:50
Invoke-DumpApps
Log source Indicator
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users/
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users/{Id}
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/organization
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals(appId='{AppId}')/appRoleAssignedTo
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/applications
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals/{Id}
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals?$skiptoken={Token}
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals
@invictus-korstiaan
invictus-korstiaan / Get-GraphTokens.csv
Last active October 27, 2023 13:27
Get-GraphTokens
Log source Indicator
SignInLogs AuthenticationProtocol == deviceCode
SignInLogs ResourceDisplayName == Microsoft Graph
@invictus-korstiaan
invictus-korstiaan / Invoke-AddGroupMember.csv
Created October 27, 2023 09:40
Invoke-AddGroupMember
Log source Evidence
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups/{ID}/members/$ref
Entra ID Audit Log Add member to group
Unified Audit Log Add member to group.
@invictus-korstiaan
invictus-korstiaan / Invoke-InviteGuest.csv
Created October 27, 2023 09:35
Invoke-InviteGuest
Log source Indicator
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/invitations
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/organization
Entra ID Audit Log Invite external user
Entra ID Audit Log Add user
@invictus-korstiaan
invictus-korstiaan / Invoke-SecurityGroupCloner.csv
Created October 27, 2023 09:29
Invoke-SecurityGroupCloner
Log source Indicator
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups/{ID}/members
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups/{ID}/members/$ref
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups?=securityEnabled%20eq%20true
MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/me
Entra ID Audit Log Add member to group
Entra ID Audit Log Add group