SharePointDumper

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/zh54321/SharePointDumper
• Blog Title: SharePointDumper
• Suggested Section: Azure Pentesting -> Az - Entra ID (AzureAD) & Azure IAM (or a new Microsoft 365 / Microsoft Graph / SharePoint Online subsection under Azure identity/post-exploitation); include as 'Microsoft Graph delegated token abuse for SharePoint enumeration & exfiltration (pre-auth download URLs, first-party client IDs/redirect URIs, CAE/refresh, traffic shaping)'.

🎯 Content Summary

What this is
SharePointDumper is a PowerShell-based SharePoint extraction + auditing utility designed for SOC/DLP testing, purple teaming, and basic red-team assessments. Given an already obtained Microsoft Graph OAuth2 delegated access token, it:

• Enumerates all SharePoint sites/drives/folders/files the token’s user can access via Microsoft Graph.
• Recursively downloads the accessible content via SharePoint using p...

  🔧 Technical Details

  Delegated Graph token → SharePoint data exfiltration at scale: If you obtain a delegated Microsoft Graph access token with Sites.Read.All or Sites.ReadWrite.All, you can programmatically enumerate SharePoint resources through Graph (sites → drives → folders/files) and then exfiltrate file contents by downloading items via SharePoint “pre-authentication” download URLs. This turns a token theft event into bulk document theft with high confidentiality impact.

  Using pre-consented Microsoft first-party OAuth clients to get usable tokens: When many Microsoft first-party app registrations already have pre-consented Sites.Read… permissions, an operator can request tokens using those known ClientID + RedirectUrl pairs (and sometimes an -Origin header for non-FOCI clients) instead of registering a new app in the tenant. Tools like EntraTokenAid automate Invoke-Auth to obtain these to...

  🤖 Agent Actions

  Summary:

  • Added a new section detailing delegated Microsoft Graph token abuse for SharePoint data exfiltration with SharePointDumper, including prerequisites, pre-auth download flow, and traffic-shaping considerations.
  • Documented practical token acquisition using pre-consented first-party clients via EntraTokenAid, including CAE guidance and FOCI TRUE/FALSE examples.
  • Covered operational usage of SharePointDumper (filtering, limits, resume, proxy/throttling, automatic refresh) and updated references to the relevant tooling.

  Tests:

  • Not run (documentation-only changes).

  ---

  This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/zh54321/SharePointDumper

Content Categories: Based on the analysis, this content was categorized under "Azure Pentesting -> Az - Entra ID (AzureAD) & Azure IAM (or a new Microsoft 365 / Microsoft Graph / SharePoint Online subsection under Azure identity/post-exploitation); include as 'Microsoft Graph delegated token abuse for SharePoint enumeration & exfiltration (pre-auth download URLs, first-party client IDs/redirect URIs, CAE/refresh, traffic shaping)'.".

Repository Maintenance:

• MD Files Formatting: 574 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0