GraphStrike: Using Microsoft Graph API to Make Beacon Traffic Disappear

By Red Siege | January 22, 2024

By: Alex Reid, Current Red Siege Intern

We at Red Siege are proud to introduce GraphStrike: a tool suite for use with Cobalt Strike that enables Beacons to use Microsoft Graph API for HTTPS C2 communications. All implant traffic will route through graph.microsoft.com and become very difficult to identify as Beacon uses legitimate methods to interact with Microsoft Cloud resources.

In the offensive security world, when evasion is brought up it is usually in the context of Anti-Virus (AV) or Endpoint Detection and Response (EDR). Host-based detections remain the chief concern for most offensive security engineers when designing malware or other tooling, but organizations are increasingly complementing their security stacks with mature network-based detection capabilities. Network evasion isn’t a new concept, with the commercial Command and Control (C2) software Cobalt Strike adding functionality to customize the appearance of its network traffic in 2014. In the intervening years however, the capability and fidelity of network-based monitoring and detection mechanisms have progressed to now present a real challenge during offensive operations.

Advanced Persistent Threats (APTs) and other real-world threat actors have also taken notice, increasingly turning to commercial third-party services like Slack, Discord, Google Drive, and Telegram to smuggle their C2 traffic out of a compromised network without detection. Legitimate services are incredibly attractive for C2 purposes, with aggressors able to abuse their reputation to blend in and avoid scrutiny. While the options are myriad, Microsoft services are particularly attractive targets due to how ubiquitous the use of programs like Microsoft Teams, Outlook, and OneDrive is. To make things easier, all of these services can be accessed and manipulated via Microsoft Graph API. From Microsoft:

Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources.

APTs have been observed deploying malware that uses Graph API for C2 in campaigns over the past several years. Examples include:

  1. BLUELIGHT – APT37/InkySquid/ScarCruft

  2. Graphite – APT28/Fancy Bear

  3. Graphican – APT15/Nickel/The Flea

  4. SiestaGraph – UNKNOWN

Network traffic addressed to Microsoft owned domains and IPs is extremely unlikely to draw attention, and it can be very difficult to distinguish legitimate usage of Graph API within a network from illegitimate. As offensive security professionals we are in the business of adversary emulation, but implementing third-party services for C2 can be challenging, both from a technical standpoint as well as in regards to time and resources. To address these challenges and enable authorized red teams to easily bring advanced adversarial tradecraft to the table, Red Siege is pleased to announce the release of GraphStrike.

GraphStrike is a tool suite for use with Cobalt Strike that enables Beacons to use Graph API for HTTPS C2 communications. It includes a provisioner to easily set up required assets, both locally and in Azure, with the only real prerequisite being a Microsoft tenant with a SharePoint site:

After completing setup and importing a single Cobalt Strike aggressor script, Beacons generated by the Cobalt Strike Team Server will send all C2 traffic to graph.microsoft.com. This can be seen in the following image (you’ll need to zoom in):

Depicted is a Wireshark capture showing a DNS request for graph.microsoft.com and an answer containing the corresponding IP. An HTTPS connection is then initiated to that IP, and using Process Explorer we can see that the GraphStrike.exe process initiated and holds this connection. In the bottom left of the image, a screen capture from Cobalt Strike shows a Beacon calling out from the GraphStrike.exe process and confirms that the connection seen in Wireshark belongs to the implant.

GraphStrike supports almost all native Cobalt Strike capabilities and aims to make the use of Graph API for authorized red team engagements simple, reliable, and effective.

A developer blog post detailing the design process and technical details of GraphStrike may be found at GraphStrike: Anatomy of Offensive Tool Development

GraphStrike is available for download here.


 

About Alex Reid, Intern:

Alex Reid is an intern at Red Siege Information Security. Alex got started in offensive security 4 years ago on the United States Navy Red Team, and has been awarded several medals by the military for his work there as an advanced capabilities developer and red team technical lead. He has presented at several DoD Red Team conferences and is an active contributor to the offensive security community via open source tooling published on his personal GitHub.

Certifications:

OSCP, OSEP, and RTJC

Connect on Twitter and Linkedin

Dumping LSASS Like it’s 2019

By Red Siege | March 4, 2024

By Alex Reid, Current Red Siege Intern   A long-time tactic of threat actors and offensive security professionals alike, tampering with LSASS.exe in order to recover credentials remains a highly […]

Learn More
Dumping LSASS Like it’s 2019

Better Living Through OpenSSH Config Files

By Red Siege | February 15, 2024

By: Justin Palk, Senior Security Consultant   SSH is an incredibly valuable tool for penetration testing. It provides us with a secure channel for administering machines, remotely executing tools, transferring […]

Learn More
Better Living Through OpenSSH Config Files

GraphStrike: Anatomy of Offensive Tool Development

By Red Siege | January 22, 2024

By: Alex Reid, Current Red Siege Intern Introduction This blog post accompanies the release of an open source tool called GraphStrike which can be found here. Those familiar with my […]

Learn More
GraphStrike: Anatomy of Offensive Tool Development

Find Out What’s Next

Stay in the loop with our upcoming events.