Skip to Main Content
February 07, 2023

TeamFiltration V3.5.0 - Improve All the Things!

Written by Melvin Langvik
Penetration Testing Red Team Adversarial Attack Simulation

TeamFiltration was publicly released during the DefCON30 talk, "Taking a Dump In The Cloud". Before the public release, TeamFiltration was an internal tool for TrustedSec's offensive security operations, which was shared internally back in January 2021.

In short terms, TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring Office 365 Azure AD accounts. TeamFiltration aims to make post-exploitation activities efficient and modern through the use of a centralized database and large quality-of-operator features.

Got a compromised an Office 365 account? Give those creds to TeamFiltration and watch the loot rain from the target's Office 365 cloud. TeamFiltration exfiltration capabilities include:

  • Teams: Chat logs, contacts list, and shared attachments 
  • Outlook: Emails and attachments.
  • Azure AD/GraphAPI: Users, Groups, and tenant information
  • OneDrive: Synced files, both user-specific and SharePoint-shared files

What's New?

After the merging of some branches, I’m happy to release TeamFiltration V3.5.0. Among many minor and major improvements, this version changes how TeamFiltration utilizes FireProx instances.

TeamFiltration + FireProx = <3

TeamFiltration no longer requires you to generate and store a pre-created list of FireProx instances in the configuration file. Instead, TeamFiltration will create and remove FireProx instances automatically when performing tasks that require FireProx endpoints. For TeamFiltration to do so, you simply provide an AWS Access Key and AWS Secret Key within the configuration file.

Figure 1- On Demand FireProx Generation

If TeamFiltration was unable to remove a created FireProx instance automatically (say because of a software crash or forced stop), the database module can now be used to show and delete FireProx endpoints.

Figure 2 - FireProx Endpoint Management

TeamFiltration only allows you to delete FireProx instances that were given a specified ID, or instances that are stored in the database (This happens during FireProx creation).

P.S.: Be sure to restrict permissions on behalf of those generated AWS API keys to the API Gateway Administrator role

Don't Work; Please Fix

The TeamFiltration configuration now allows you to specify a proxy URL that, when used with the argument '--debug', will forward all HTTP traffic through your defined proxy. This is useful when debugging problems or crashes and, hopefully, will make it easier for end-users to open issues with a higher level of detail.

Figure 3 - Debugging Using Burp

Teams Enumeration Mayhem

Depending on the configuration of the target Tenant, the Teams enumeration method might return a large number of false positives/non-existing accounts. An account-name sanity check was therefore added to avoid wasting time enumerating tenants that are not enumerable using teams.

Figure 4 - Team Account Enumeration Sanity Check

TeamFiltration has also received a series of minor changes and bug fixes.

Other Changes:

  • The TeamFiltration config now allows you to specify your user-agent that will be used for all HTTP traffic.
  • The interactive database module now has the option to list and remove potentially left-behind FireProx instances. (This might happen if you close TeamFiltration in the middle of an ongoing password spray)
  • Merged a pull request from R-Secure fixing an issue related to OneDrive and SharePoint exfiltration method causing a crash.
  • Merged a pull request from Rob Goyette that adds functionality to extract access tokens from an exfiltrated Teams database (by specifying a local path) and then uses that to enumerate further.
  • Account Display Name is now captured and stored in the database when performing Teams Account Enumeration. This makes it easier to match email addresses with names from third-party sources.
  • Database column names have been shortened to allow for easier viewing when working inside short terminals.
  • Many many cleanups and minor tweaks

If you weren’t already sold on how TeamFiltration can aid you in performing offensive security operations, I'm currently working on a short YouTube series showcasing how to get up and running with TeamFiltration, as well as improving the currently lacking GitHub documentation. 

Grab the new release over at GitHub:

Considering subscribing to my YouTube channel: