We created this beginner-friendly lab to showcase the GraphRunner Microsoft 365 post-exploitation toolset, and how it can be used to loot data from Exchange Online, Teams, SharePoint and OneDrive. You'll also get hands-on experience with MFASweep, PowerShell and Azure SQL Database.

Your red team is on an engagement and has successfully phished a Mega Big Tech employee to gain their credentials. So far increasing access within Azure has reached a dead end, and you have been tasked with unlocking further access. In scope is the entire on-premises and cloud infrastructure. Your goal is to gain access to customer records and demonstrate impact.

Basic Windows command line knowledge

• Use MFASweep to identify Microsoft services where MFA has not been enabled
• Use GraphRunner to exfiltrate data from SharePoint, Teams and Exchange Online
• Move laterally and pillage data from Azure SQL database

Azure and Microsoft 365 are very widely used, as organizations look to adopt hybrid cloud architectures and move from on-premise, local software and hardware to the cloud. It's critical that companies consider security as they lift and shift their data and applications to the cloud. While the Microsoft cloud has many security features, they may not be enabled by default, and companies will look to adjust security settings to accommodate their processes and business requirements, as well as their risk appetite. When assessing cloud security it's important to understand which services have MFA enabled, and which online services a user has access to. As defenders, it's critical to understand what the most important data in the company is, and how it can be protected by multiple layers of defense.