• Stars
    star
    764
  • Rank 59,449 (Top 2 %)
  • Language
    C#
  • License
    GNU General Publi...
  • Created over 2 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts

TeamFiltration

TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts. See the TeamFiltration wiki page for an introduction into how TeamFiltration works and the Quick Start Guide for how to get up and running!

This tool has been used internally since January 2021 and was publicly released in my talk "Taking a Dumb In The Cloud" during DefCON30.

Download

You can download the latest precompiled release for Linux, Windows and MacOS

The releases are precompiled into a single application-dependent binary. The size go up, but you do not need NET or any other dependencies to run them.

Usage


  ╔╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╗
 ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬─                              ╠╬╬╝╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╣                              β”‚      ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╣                              β”‚β”‚      β•šβ•¬β•¬β•β•š β””β•šβ•β•¬β•¬β•¬β•¬β•¬β•¬
╬╬╬╬╣         ╔╦╦╬╬╬╬╬╬╦╦╗         β”‚β”‚       β”‚        ╬╬╬╬╬
╬╬╬╬╣     β•”β•¬β•¬β•¬β•β•β”˜      β•šβ•β•β•¬β•¬β•¬β”     β”‚β”‚       β”‚β”‚       └╬╬╬╬
╬╬╬╬─    β•¬β•¬β•β•šβ•©β•¬β•—β•”          β•šβ•¬β•¬β•¬    β”‚β”‚       β”‚β”‚        ╬╬╬╬
╬╬╬╬─   ╬╝      β•šβ•¬β•¬β•—β•— β•”      β•šβ•¬β•—   β”‚β”‚      β”œβ”‚β”‚        ╬╬╬╬
╬╬╬╬─  ╬╬     β•”β•—   β•šβ•¬β•¬β•¬β•¬β•¬β•¬β•¦    ╬╬  β”‚β”Œ    ╔╬─││       ╔╬╬╬╬
╬╬╬╬─ ╔╬─     ╬╬╬   ╬╬╬╬╬╬╬╬╝╝╝╬╬╗ ╠╬╬╬╬╬╬╬╬╬╗      β”Œβ•¬β•¬β•¬β•¬β•¬
╬╬╬╬─ ╬╬─     β•šβ•©β”˜   β•šβ•¬β•¬β•¬β•¬β•¬β•©    ╠╬╬ β•šβ•β•β•β•β•β•β•β•β•β•¬β•¬β•—β•—β•—β•¦β•¬β•¬β•¬β•¬β•¬β•¬β•¬
╬╬╬╬─ ╬╬─                      ╠╬╬ β”‚β”‚         ╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬─  ╬╬   ╦╗            β•—β•—   ╬╬  β”‚β”‚         β”‚       ╬╬╬╬
╬╬╬╬─  └╬┐   β•šβ•¬β•—β•—      ╔╬╬╝   β•”β•¬β”˜  β”‚β”‚         β”‚       ╬╬╬╬
╬╬╬╬─   └╬╗    β•šβ•©β•©β•¬β•¬β•¬β•©β•©β•β•   ╔╬╬    β”‚β”‚         β”‚       ╬╬╬╬
╬╬╬╬─    β•šβ•¬β•¬β•¬β•—           β”Œβ•—β•¬β•¬β•β”˜    β”‚β”‚         β”‚       ╬╬╬╬
╬╬╬╬─       β•šβ•©β•¬β•¬β•¬β•¦β•¦β•¦β•¦β•¦β•¦β•¬β•¬β•¬β•β•       β”‚β”‚         β”‚       ╬╬╬╬
╬╬╬╬─            β•šβ•šβ•β•β•β•            β”‚β”‚         β”‚       ╬╬╬╬
╬╬╬╬─                              β”‚β”‚         β”‚    ╔╗╬╬╬╬╬
╬╬╬╬─                              β”‚β”‚         ╬╦╦╬╬╬╬╬╬╬╬╬
╬╬╬╬─                              β”‚β”‚     ╔╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬─                              ╬╬╬╗╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
 └╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╝
   ╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝

[❀] TeamFiltration V3.5.1 PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed 
Usage:

   --outpath     Output path to store database and exfiltrated information (Needed for all modules)

   --config      Local path to your TeamFiltration.json configuration file, if not provided will load from the current path

   --exfil       Load the exfiltration module

         --username            Override to target a given username that does not exist in the database
         --password            Override to target a given password that does not exist in the database
         --tokens              Override to target a (file with newline seperated JWT tokens|single JWT| , seperated JWT tokens) and perfom exfiltration
         --cookie-dump         Override to target a given account using it's refresh-cookie-collection

         --all                 Exfiltrate information from ALL SSO resources (Graph, OWA, SharePoint, OneDrive, Teams)
         --aad                 Exfiltrate information from Graph API (domain users and groups)
         --teams               Exfiltrate information from Teams API (files, chatlogs, attachments, contactlist)
         --teams-db            Exfiltrate cookies and authentication tokens from an exfiltrated Teams database
         --onedrive            Exfiltrate information from OneDrive/SharePoint API (accessible SharePoint files and the users entire OneDrive directory)
         --owa                 Exfiltrate information from the Outlook REST API (The last 2k emails, both sent and received) 
               --owa-limit          Set the max amount of emails to exfiltrate, default is 2k.
         --jwt-tokens          Dump all gathered JSON formated JTW-tokens for SSO resources (MsGraph,AdGraph, Outlook, SharePoint, OneDrive, Teams)

   --spray       Load the spraying module

         --aad-sso             Use SecureWorks's Azure Active Directory password brute-forcing technique when spraying
         --us-cloud            When spraying companies attached to US Tenants (https://login.microsoftonline.us/)

         --passwords           Path to a list of passwords, common weak-passwords will be generated if not supplied
         --exclude             Path to a list of emails to exclude from spraying
         --seasons-only        Password genersated for spraying will only be based on seasons
         --months-only         Password generated for spraying will only be based on months
         --common-only         Spray with the top 20 most common passwords
         --shuffle-passwords   Shuffle the passwordlist before spraying
         --shuffle-users       Shuffle the target userlist before spraying
         --shuffle-regions     Shuffle FireProx regions when spraying

         --auto-exfil          If valid login is found, auto start the exfil module

         --sleep-min           Minimum minutes to sleep between each full rotation of spraying default=60
         --sleep-max           Maximum minutes to sleep between each full rotation of spraying default=100
         --jitter              Seconds between each individual authentication attempt. default=0
         --time-window         Defines a time windows where spraying should accour, in the military time format <12:00-19:00>
         --push                Get Pushover notifications when valid credentials are found (requires pushover keys in config)
         --push-locked         Get Pushover notifications when an sprayed account gets locked (requires pushover keys in config)
         --force               Force the spraying to proceed even if there is less the <sleep> time since the last attempt

   --enum        Load the enumeration module

         --domain              Domain to perfom enumeration against, names pulled from statistically-likely-usernames if not provided with --usernames
         --usernames           Path to a list of usernames to enumerate (emails)
         --dehashed            Use the dehashed submodule in order to enumerate emails from a basedomain
         --validate-msol       Validate that the given o365 accounts exists using the public GetCredentialType method (Very RateLimited - Slow 20 e/s)
         --validate-teams      Validate that the given o365 accounts exists using the Teams API method (Recommended - Super Fast 300 e/s)
         --validate-login      Validate that the given o365 accounts by attemping to login (Noisy - triggers logins - Fast 100 e/s)

   --backdoor        Loads the interactive backdoor module

   --database        Loads the interactive database browser module

   --debug           Proxy all outgoing HTTP requests through the proxy specified in the config

   Examples:

        --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push --shuffle-users --shuffle-regions
        --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt
        --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00
        --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\CookieData.txt --all
        --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --aad 
        --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --tokens C:\\OutputTokens.txt --onedrive --owa
        --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000
        --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive
        --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams
        --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt
        --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --backdoor
        --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --database

Credits

More Repositories

1

SharpCollection

Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.
1,767
star
2

BetterSafetyKatz

Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.
C#
788
star
3

NetLoader

Loads any C# binary in mem, patching AMSI + ETW.
C#
656
star
4

SharpDllProxy

Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading
C#
523
star
5

AMSI.fail

C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process.
C#
309
star
6

SharpProxyLogon

C# POC for CVE-2021-26855 aka ProxyLogon, supports the classically semi-interactive web shell as well as shellcode injection
C#
226
star
7

CobaltBus

Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus
C#
208
star
8

AzureC2Relay

AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile.
C#
195
star
9

DeployPrinterNightmare

C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
C#
177
star
10

RosFuscator

YouTube/Livestream project for obfuscating C# source code using Roslyn
C#
119
star
11

SharpExfiltrate

Modular C# framework to exfiltrate loot over secure and trusted channels.
C#
114
star
12

ObfuscatedSharpCollection

Attempt at Obfuscated version of SharpCollection
103
star
13

SharpAppLocker

C# port of the Get-AppLockerPolicy PS cmdlet
C#
97
star
14

DLLSideloader

PowerShell script to generate "proxy" counterparts to easily perform DLL Sideloading
C++
93
star
15

UAC-D-E-Rubber-Ducky

Python2 / BASH / VBS- UAC D&E Rubber Ducky
Python
59
star
16

HIDAAF

Python - Human Interface Device Android Attack Framework
Python
36
star
17

HTB-HDBadgeGenerator

HackTheBox High Definition Badge Generator
Python
21
star
18

collector

Utility to analyse, ingest and push out credentials from common data sources during an internal penetration test.
Python
18
star
19

CobaltStuff

12
star
20

AntminerController

C# - Allows for easy changing of pools across multiple miners.
C#
4
star
21

MimiFud

3
star
22

BlackBox-0.1

The baddest box on the frequency
2
star
23

QRucible

Suprise at x33fcon
2
star
24

ProCheat

Cheating on Pro E-Sport LAN events made easy
Visual Basic
1
star
25

StreamStuff

Contains stuff made during streams
C#
1
star