Havoc: SharePoint With Microsoft Graph API Turns Into FUD C2

    Monday, March 10, 2025 In: Threat Research Print

    Date: 03/10/2025

    Severity: Medium

    Summary

    "Havoc: SharePoint With Microsoft Graph API Turns Into FUD C2" refers to the use of the Havoc command-and-control (C2) framework, which is open-source and available on GitHub, by threat actors to gain full control over a target. By integrating SharePoint with the Microsoft Graph API, Havoc can be leveraged in a "Fully Undetectable" (FUD) manner, helping attackers evade detection and carry out malicious activities, similar to other C2 frameworks like Cobalt Strike and Silver.

    Indicators of Compromise (IOC) List 

    URL/Domain

    hao771.sharepoint.com

    Hash

    51796effe230d9eca8ec33eb17de9c27e9e96ab52e788e3a9965528be2902330

989f58c86343704f143c0d9e16893fad98843b932740b113e8b2f8376859d2dd

A5210aaa9eb51e866d9c2ef17f55c0526732eacb1a412b910394b6b51246b7da

cc151456cf7df7ff43113e5f82c4ce89434ab40e68cd6fb362e4ae4f70ce65b3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "hao771.sharepoint.com" or url like "hao771.sharepoint.com"

    Detection Query 2

    sha256hash IN ("51796effe230d9eca8ec33eb17de9c27e9e96ab52e788e3a9965528be2902330","989f58c86343704f143c0d9e16893fad98843b932740b113e8b2f8376859d2dd","A5210aaa9eb51e866d9c2ef17f55c0526732eacb1a412b910394b6b51246b7da","cc151456cf7df7ff43113e5f82c4ce89434ab40e68cd6fb362e4ae4f70ce65b3")

    Reference:

    https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2


    Tags

    VulnerabilityToolSharePointHavocMicrosoft Graph API

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.