Persistence using Microsoft Outlook

As you know, Microsoft Office is one of the most used productivity suites in the game. Just about every enterprise uses Outlook as their email client. In the hunt for obscure ways to persist on a machine, I created this.

Before I begin, I want to give a shout-out to Matt Graeber. Matt is an amazing researcher and he came up with Invoke-Shellcode, which is used in this method. Give him a follow on Twitter https://twitter.com/mattifestation

This type of attack is a Macro attack. The way this works is there is a Powershell script that runs 24/7 on the machine, which checks the default inbox for your email address and a specified subject at a given interval. When it sees your email, it shovels you a shell and deletes that email. I have made both the attack macro and the persist Powershell script available on Github: https://github.com/enigma0x3/OutlookPersistence. There are 4 functions in the macro.

Execute: Upon opening the document, it uses Invoke-Shellcode to shovel you a shell

Persist: This function writes a text file to C:\Users\Public, changes the extension to .vbs and sets the attributes to hidden. This .vbs file is a wrapper that executes Powershell and passes Persist.ps1 to it.

Reg: This function creates a registry key in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load that points to the hidden .vbs file. This ensures that the Powershell script starts back up after a reboot.

Start: This starts the script immediately

1

To execute this, you create a document with a VBA macro and paste in the macro code (you need to update the IP address that your multi/handler is listening on). You then pull down Persist.ps1 and throw it on a public server. Once it is accessible, you need to change the email address, trigger word and IP address. Save the file and send the document off to the target. That is it.

Here is a demo:

https://www.youtube.com/watch?v=yjZgno54o1c&feature=youtu.be

One thought on “Persistence using Microsoft Outlook

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s