John Stoner

Security Strategist

Back to the list of Speakers and Sessions

John Stoner Security Strategist, Google Cloud

John Stoner is a Global Principal Security Strategist at Google Cloud and leverages his experience to improve users' capabilities in Security Operations, Threat Hunting, Incident Response, Detection Engineering and Threat Intelligence. He blogs on threat hunting and security operations and has built multiple APT threat emulations for blue team capture the flag events. John has presented and led workshops at various industry symposia including FIRST (CTI, Tech Colloquium), BSides (SF, Las Vegas), SANS Summits (DFIR, Threat Hunting, Cloud and SIEM), WiCyS, Way West Hacking Fest, AISA and DefCon Packet Hacking Village. He also enjoys listening to what his former teammates referred to as "80s sad-timey music."


Talk: GraphRunner and Defending Your Microsoft Tenant

Talks will be streamed on YouTube and Twitch for free.


For organizations using Microsoft Entra ID (formerly known as Azure Active Directory) and O365, it’s fairly well understood that a set of default logs are readily available for use, no matter what log management tooling an organization is using. However, this standard logging has its limits.

Last fall, the team at Black Hills Information Security released a post exploitation kit called GraphRunner. This tool is focused on interacting with the Microsoft Graph API, which is the backbone that services Entra ID, O365 and many other services in the Microsoft cloud. The release of GraphRunner and future tools like it streamlines a number of activities that an adversary would perform after gaining access, making it simpler for anyone to use. While GraphRunner is a post exploitation toolkit, there are authentication functions that highlight how adversaries could use the OAuth authorization code flow to their advantage.

As a defender, this presents a set of challenges. Less sophisticated adversaries have a lower barrier to entry once they have gained access to the Graph API than they did before. It also highlights that the standard logging may not be sufficient to gain visibility into actions like the refreshing of tokens or other activities that a tool like GraphRunner provides.

This talk is designed to provide insight into additional data sets that Microsoft cloud users have access to but may not be as widely deployed. These additional data sets can provide defenders additional insight, detect suspicious activity and can serve as a hunting ground when confronted with an adversary using techniques like those found in GraphRunner.

Because GraphRunner contains numerous modules and is written in PowerShell, an adversary can customize it to their own needs. While we won’t be able to cover all possible permutations, our goal is to identify data sets and events that can assist defenders while using GraphRunner as a representative of the kinds of methods that adversaries might use.

Attendees will come away from this talk with: -A greater understanding of GraphRunner and its capabilities -Awareness of the logging available for the Graph API beyond the standard logging -Ideas around how detections and hunts can be designed to identify GraphRunner activity