-
-
Notifications
You must be signed in to change notification settings - Fork 118
Release Notes
RedByte edited this page Dec 31, 2025
·
15 revisions
- Added support for version 2 of the Microsoft OAuth2 token endpoint
- Device Certificates
- Create new Entra ID Joined or Registered device objects using access tokens directly from within GraphSpy
- Import Device Certificates/Keys from a compromised device, or created using a different tool
- Use the device certificate and key to generate Primary Refresh Tokens for a user
- Primary Refresh Token (PRT) support
- Generate PRTs from within GraphSpy
- Import PRTs from other tools or from compromised devices
- Generate access tokens with PRTs
- Generate PRT Cookies that can be imported into your browser to gain full access to any web application integrated with SSO.
- Windows Hello for Business (whfb)
- Register WinHello keys using a user's access token linked to a joined/registered device
- Import WinHello keys in GraphSpy from a compromised device, or from a different tool
- Use WinHello keys to generate new Primary Refresh Tokens for the user, without needing any additional credentials or tokens (-> Very strong persistence)
- Added support for automatic actions that will be performed instantly after a successful device code authentication
- Currently supports two auto-actions:
- Registering/Joining a device + Obtaining a PRT
- Everything in the previous action + Enrolling WinHello4Business for the new device to obtain WinHello keys
- Currently supports two auto-actions:
- Added device code login URL hints on the Device Code page
- Released Outlook Graph Module:
- List and read emails directly with a Microsoft Graph access token
- Send new emails or reply to existing emails with a fully featured HTML email editor
- List and read emails of shared mailboxes that are accessible to the user (requires the
Mail.Read.Sharedscope, which can be obtained with an Outlook Mobile access token) - Mark emails as (un)read or delete emails from the user's mailbox
- Use custom search queries to identify sensitive information in emails
- Download email attachments
- Added a support button so you can support GraphSpy's development
- Fixed the MFA module after Microsoft deprecated the
account.activedirectory.windowsazure.comendpoint. The MFA module now uses themysignins.microsoft.comendpoints.
- Entra ID Module:
- List all users in Entra ID using Microsoft Graph access tokens
- Select which properties are requested for additional customization or OPSEC considerations
- Fully customize which properties are shown in the result table, and export the table to CSV or Excel
- Fetch additional information for a specific user to quickly highlight all useful information, such as its group memberships, role assignments, devices, app roles, and API permissions
- All JSON text now uses color-coded syntax highlighting across all modules
- All JSON can be easily copied using a copy button in the top right corner
- UI improvements to more clearly show a loading animation in several modules for requests that may take a longer time to load.
- MFA Methods module:
- List available and registered authentication options
- Delete registered MFA methods
- Create new MFA methods:
- Microsoft Authenticator App
- Custom OTP App
- Use GraphSpy as OTP App
- Security Keys (WebAuthn / FIDO2)
- Inspired by deviceCode2SecurityKey
- Mobile/Office/Alternative Phones (SMS or call)
- Alternative email address
- Request device codes with
ngcmfaclaim
- Added support for the Azure AD v2.0 token endpoint, allowing to obtain access tokens based on scope instead of resource.
- Note: the v1 token endpoint based on resource is still available (and used by default), although some specific use cases will benefit from having the option to obtain access tokens through the v2.0 endpoint (For example; obtaining access tokens for the MicrosoftAppAccessPanel resource to be able to add any type of MFA method to backdoor the account. Stay tuned!)
- Small fix for an issue that prevented all conversations to load in the MS Teams module when the resolve conversation names feature was used, but the conversation was not a proper MS Teams Chat or Channel.
- Added file upload capabilities to OneDrive & SharePoint (@pwnf - #2)
- Delete files and folders on OneDrive & SharePoint
- Improved MS Teams Module
- List all internal users in the organization
- Search for external users
- Create new conversations (direct messages or group chats) with internal and external users
- Insert fake/forged message quotes in chat messages
- Custom requests now also show the HTTP Response headers
- Improved all table layouts by using the correct DataTables dependencies for Bootstrap 5
- Microsoft Teams Module
- View conversations and chat messages
- Send chat messages in existing conversations using the rich text editor
- List members in a channel or teams space
- Display images and download anonymous files
- Added some color (@HuskyHacks - #1)
- Device Code Table colors based on status
- Access Token Table colors based on expiry
- Added support for colored toast messages/notification
- Custom User Agent
- A custom user agent can now be defined on the Settings page
- This user agent will be used in every request initiated by the GraphSpy server
- By default, one of the latest user agents (at the time of this update) from Google Chrome on Windows will be used.
- Access & Refresh Token modals
- It is now even easier to switch between different access and refresh tokens from any page.
- A "Select" button is present in every Access/Refresh Token ID field which will open an overview where every token is displayed and can be selected.
- Custom API Requests
- Perform custom API requests to any API endpoint using access tokens from the GraphSpy database for authentication
- Custom API Request Variables
- Create custom variables that will be replaced in the URI, Headers, and Body of custom API requests.
- Custom API Request Templates
- Store API Request Templates into the database for easy reuse