Lately I’ve been neglecting my CTF posts so I could put some time into OutlookToolbox, a C# DLL that uses COM to target Outlook in the background. Additionally, I put together a Cobalt Strike Aggressor script to assist with the execution of OutlookToolbox, both of which can be found at the repository here – https://github.com/ThunderGunExpress/OutlookToolbox.
This is a quick and dirty post which will cover the features. Later, I plan on creating another post which further explores potential use cases of OutlookToolbox.
- Only use for good.
- I have not done extensive testing with this tool, use at your own risk. I recommend testing OutlookToolbox on a replica of your target first.
- The Aggressor script uses several brm (file and/or directory remove) function calls which can bulldoze entire directories if input is not sanitized correctly. I’ve tried to iron out all the issues, but still, I would put OutlookToolbox in a non-critical directory like C:\Users\Public\Documents just to be safe.
What it Does
- Lists folders in Outlook (Inbox, Sent Items, Conversation History, Joe’s Custom Folder … )
- Exports target folder to a CSV File
- Enumerate targets using the GAL
- Download specific messages
- Sends an email on behalf of the target user
How to Prevent
Configure Outlook’s programmatic access security to report on suspicious activity – MS link. Email encryption will cause several of these functions not to work, not a bad idea.
Cobalt Strike Aggressor Script
The following are screen captures of the Cobalt Strike Aggressor script that is in the github repository. This is not required, an external application or rundll32 can be used instead.
Note, the script can be a bit buggy since I used beacon_output_alt to handle completion of downloads.
Upload OutlookToolbox DLL
This menu option will ask the user for the local location of the OutlookToolbox DLL. It will upload the specified file to $targetDir, a global variable in the script which is currently configured to C:\Users\Public\Documents\ … do not change this to a critical directory like C:\ or C:\Windows\System32\, see the note about BRM above. Once the upload is complete it will rename the file to OutlookToolbox.dll.
Delete OutlookToolbox DLL
This menu option calls the SanityCheck function, used to test for configurations which might cause a popup on the target machine. This function checks the following:
- Outlook is installed
- Outlook is running (anything but 1 instance of Outlook.exe will cause OutlookToolbox.dll to stop)
- ObjectModelGuard registry key
- If Outlook is relying on AV, OutlookToolbox will check the status of AV and ensure it is up-to-date and enabled … funny, eh?
- Checks that the process (Cobalt session) calling rundll32 is the same integrity level as Outlook.exe
Enumerate Outlook’s folders and number items.
Gather information about target user using the GAL. This can be used in conjunction with EmailPivot to increase the authenticity of an internal phish.
Folder To CSV
Exports target folder to a CSV file. Body length is truncated to keep the size down. This Cobalt Strike function uses sleep so it will seem like CS has hung, just wait it out.
Downloads a single message if using index, or can download a collection of emails sent by a specified user. If downloading several emails, OutlookToolbox will zip the contents before downloading.
Sends an email on behalf of the target user using a specified .msg file. Email pivot can also create an Outlook rule to mute replies from the target recipients. Note that currently there is not function to remove rules.