Owning MS Outlook with Powershell

all right so it's four or five let's go ahead and get started I know this is the last talk of the day and everybody's eager for beer-thirty so I promise I will not run long this is owning Microsoft Outlook with PowerShell Who am I my name is andrew cole on twitter i'm at culmination I am currently a Content developer and see any instructor for Chiron technology services information operations team it's fancy talk where we teach people how to break things and hack things I also do security research part time in a previous life I've was a military intelligence systems maintainer an integrator I was a Cryptologic Network warfare specialist and a journeyman interactive operator for the US Army out

of Fort Meade so did a lot of fun different breaky things I've talked at a couple different places a bunch of b-sides NOLA con in the National Security Agency that's all that's exciting about me in any way shape or form so I need to throw out a couple of obligatory thank-yous first of all my boss for actually paying me to do this that's always a wonderful thing and second of all besides for letting me come and talk it's always cool to do the inaugural run of a new conference and some PowerShell props I got to throw out there first off ed Wilson Microsoft scripting guy I borrowed little snippets of code from him here and there and we always

give him credit for it and also Matt Nelson who's with various groups adapter threat division he wrote a piece of code that inspired me to do a lot of what I did in this talk okay so why outlook and why PowerShell quite frankly why not I'm pretty sure everyone here probably uses outlook at work you probably have Windows 7 or newer for your computers so that means that I outlooks going to be installed on the Box PowerShell version 2 were newer is going to be on the box by default so everything that I need to do exploitation is already there on the host if I can live off the land and go native and use things that ship with the

operating system or that are already there in the environment why would I want to use any other tools I'm sure every do I have any pen testers and red teamers in here I assume so so I'm sure everyone has their own custom tool set but the more you use your custom tool set the sooner it's going to get burned and it's not going to work anymore so if you have open source or freely available native tools that can accomplish the same goals use those first save your specialized tool set for when native things just don't work [Music] additionally PowerShell is our own I drink the power show kool-aid by the gallon I drink so much I pee blue it's

really good kool-aid power show can do just about anything with its direct access to the dotnet framework in addition to its full ability to control WMI I mean if you can't do it with dotnet and WMI it doesn't need to be done you can do anything you just have to be a little creative about how to do it so pretty much everything that's going to be covered in this talk is going to leverage a similar concept and that is to basically create a new comment that is going to be Microsoft's outlook so we're going to be creating a new object it's not going to be pointing to it it's not a pointer to an object

it's not a reference to it it is going to be creating the actual dotnet object for Microsoft Outlook it is an important thing to note that anytime you do this if outlook is not already running guess what it's going to do it's gonna start outlook and someone's gonna notice that outlook opens up on their desktop without them clicking anything so if outlooks not already running in the environment you might want to when you call the object do it tack is visible false so that it doesn't start up outlook in the person's face instead sets in the background if outlook is already running though you do not want to do is visible false or the outlook

will disappear so just things to keep in mind okay so the first thing we're gonna look at we're gonna start out with some data mining from there go on to some client-side some triggering techniques and then finally wrap up with the bare-bones basics of automation so for data mining everything that's in Outlook it views it all is just folders so your inbox your contacts your tasks all those things are just different folders and as long as we know what the folder number is that holds those objects we can tell Outlook to grab those particular items in that folder ie the contacts or tasks or calendar and display them to us it works for every single folder so

anything that's in Outlook anything that's stored in there so if you get on to you know the CEO of the company's computer it's gonna be everything that you need to know about the company if it's stored in Outlook we have access to grab it so let me just go to the code real quick and we will take a peek at this I designed this and this is all rough proof of concept code please do not take it and use it in an engagement without thoroughly testing it yourself everything does functionally work but it's not necessarily the most OPSEC friendly at the current moment in time it is all in github though and the link will be on the end of the slides if you

want to grab it and download it you're more than welcome to branch it to whatever you want with it so I set this up to pull by default the inbox but you can throw switches on there to tell it what you want it to grab another great thing about writing tools in PowerShell if you get the ISE open like this and you do ctrl J you can make a command lit template that populates your help menu for you and then you just have to fill out the blank and your tool has full help support that's crazy all right so again the I just made a simple function it's called get outlook and it's just gonna data

mine that outlook whatever the current user that whose token you have it'll start their outlook and strip the information out of it by default does the inbox but you can throw in a switch to have it go to the sent items folder calendars contacts tasks and we'll get to the full switch in just a second all right so it's just a bunch of if statements that say if the switch calendar was there set the folder to be the outlook folder that matches the calendar and if it's contact switch the contacts so on and so forth down here we're gonna do is so if it's pulling emails its first it grabs the target folder that holds the emails it's gonna

populate them up and store them in a variable once they're stored in that variable its if the full switch has been given it's going to give you the full email when I say the full email I don't mean the body I mean the full email all the metadata from senders to saying whatever looked at the full metadata of an email I mean it's it's ridiculous a one-line email will produce this much information so I put a little disclaimer on there to stop you from running the whole you know to let you know hey this is gonna be a really big thing you're making are you sure you want to do this pardon yep yeah it'll lottie dottie

everybody it'll scrap scrape the whole shebang whatever's there it's gonna grab okay that is big enough so if you do say yes that you're alright with scraping it then it will grab everything otherwise it cancels and reverts to the standard output which is just a little table that shows you the sender's name the subject line and the first line of the body and that's about all there is to the code it's a pretty simple little program man down so I am going to I thought about live demoing this but it turns out having a domain controller an exchange server and two workstations running to do a demo it kind of killed my laptop that's more juice than I ran out of RAM

basically so I ended up recording videos to cover all of the items come on there she goes alright so like any PowerShell module you have to import it before you can use it you can do this with the direct path or if you had put it too in the modules folder on the target then you can just import it if you're doing this in target space though you probably don't want to start populating the modules directory of their PowerShell they don't need your tools so if I type get outlook by itself it just hold summary listing of the emails so you could see if there was anything in there that was worthwhile if you do the full again says are you sure

you want to do this because it's gonna be really really big sure there's only four emails we can pull the poll so you can see it literally it does it scrapes everything about the email so there's anything you ever wanted to know about email metadata have at it and it will scrape it for you if you wanted to I think the next thing I do is I go after the contacts nope scrapes the sent folder so if you put the sent switch it switches to the sent folder if you put contacts again it'll switch to contacts tasks and calendar as well so I only had one thing on the calendar I just populated one event so

that there would be something there to display but it will scrape whatever you want it to grab I thought the video went a little faster than this alright so now it's gonna go and grab contacts and again it's just changed to switch to contacts and it's gonna grab what I consider to be the relative and important fields out of contacts if you wanted any additional fields just modify the script put the name of the field in there and it'll grab it yes that will only be the contacts that that user has saved so it's not going to be it's not scraping like the global catalog or anything it's just anything that they've entered into that contacts field manual

so yeah you know that section that no one ever uses I figured why not get everything while I was at it I only have it set to grab the primary inbox if you wanted to grab like the PSD files if they're already mapped to Outlook you would just need to look up what that folder number is so everything's assigned to folder I think junk is I think 23 inboxes I want to say 6 so you just have to find what the number is that's assigned to each box and then tell it to do that particular item yes it is standardized as far as the default boxes so like junk sent inbox those are always going to be the same once someone

starts adding new folders it's going to be assigned whatever number it gets assigned I'm not sure what the rhyme or reason is to what number it gets but I it'll pick something that's unused all right so let's move on to the gloriousness of client side now anyone familiar with spam confidence levels SC LS so anytime an email gets sent exchanged looks at it and it says ok what is the likelihood that this is going to be spam if it's sent from internal to the network it's considered a trusted email and it gets a spam confidence level of minus 1 anything minus 1 is going to get delivered to the inbox period no matter what after that if it's zero it's gonna

go to the Inbox if it's set up at I think it's right around 3 it trips the threshold for junk and it will go to the junk mail folder instead of going to your inbox the other ones that are there by default are delete and reject the only difference between delete and reject is whether or not the sender gets notified that their email was deleted so if you send a email that has an executable attached and a link into it and it's coming from a Nigerian prince who wants to send you money to a bank account and sell you viagra at a great price on the side you're probably gonna hit an SEL a9 and

it's just gonna get deleted and never touch the disk so just everything that you do to an email can increase its SCL especially if you add any attachment that has executable functionality that includes a PowerShell script or an XE file or a batch file anything that can execute it increases the SEL anytime you put a link inside of an email it increases the SEL a little bit so knowing where the SEL threshold is and what's going to happen to your particular email can be very beneficial so disclaimer this isn't actually using Outlook it's technically using exchange but I'm still going to count it so PowerShell has a built-in command lit it's not available on standard

powershell it's only on powershell for exchange so if you get onto an exchange server you can open up the powershell there and there's this great little command lit called new transport rule so you can put a new transport rule this will be transparent to the user the only person that will see it is someone who has access to the exchange server who can look at transport rules so in the first one I just made new transport rule named it whatever said SEL anything coming from my email address I want to set the SEL to be minus 1 if it goes to my target so now I can send him executable files and they will not go to

the junk folder they'll go to the Inbox what's the great benefit of that when anything goes to the junk folder every executable code gets disabled so it won't run and all the links get killed so it's really hard to client-side someone if they can't click on any of your stuff so you would already have to be in the network for this because you'd have to be on the exchange server but once you are you can put that SEL rule in place and it will modify the spam confidence level for anything coming from your attacking email make sure you put a from email as well as your target you don't want to just put it the

target's email address or every piece of spam is going to go to box and you'll get caught real fast there's other things you can do the bottom example this new transport rule named BCC anything sent to that user the exchange server is gonna blind carbon copy it in the backgrounds to me so now maybe I don't need to get in the network maybe I just want to get this guy's email and everything that he gets sent to him it's gonna come to me too now tada I won and I didn't even have to go anywhere I love not having to leave the house alright okay we're in good shape so now we're gonna get to some of

the more fun things we're gonna dig into where I think outlook can really shine may think about it what is a backdoor is a wonderful thing exploitation makes a mess it's a pain in the butt and sometimes it can do bad things to boxes so I try to not exploit any more than they have to every back door has a pro and a con right you've got to use at the end of the day it either has to bind a socket or it has to call out so you've either got a beacon which is probably preferred these days which generates unnecessary network traffic or you've got something that's holding a bloody socket open on the host

and can be defeated by netstat I never use a bind shell anymore ideally you want something that has the best of both worlds you want something that's going to call out but only when it receives a specific trigger there is nothing that makes a better triggering mechanism than email I mean think about the very nature of how email works you have something that's designed to take random information from the internet and put it on the target host that sounds like a triggering mechanism to me if I ever heard one so we're just gonna take advantage of that natural functionality that exists in Outlook to take data from the outside and deliver it into the network and we're gonna use it to carry

our triggers in okay quick disclaimer this is not a persistence mechanism this is only a triggering mechanism you're still going to need something to start your PowerShell script and what you use for that I mean you can go old-school use the registry or a service or you can go new school and you PowerShell to register a permanent WMI event that starts your page starts your script as soon as the box boots whatever suits your particular fancy what we're generally gonna do you'll have to already have a payload that it's gonna call I have it just pointing to an executable payload so I have it pop a calculator because I guess that's what you're supposed to do with proof of

concept code if you wanted to run a script instead I could have taken shell code and instead of having it start an executable file I could have just put in their shell code equals and then give my string and then invoke shell code which would have started the shell code native in the script but it's harder to show it's really easy to see a calculator scar so what it's gonna do is it's gonna monitor the Inbox for a particular trigger email as soon as it receives that email it's gonna start the payload and then as soon as it starts the payload it's going to go back and clean up all the evidence from the from the

email so it'll delete the email and then remove it from the deleted items folder as well so that the evidence of your trigger is gone at that point it's gonna sleep for a designated interval because you don't want it constantly you know pulling the box or someone's got a notice that you know 80% of their RAM is being used up by PowerShell and outlook which is not fishy at all yes I'm sorry I don't have it doing that I don't believe but you could I don't know if you delete it out of the Leedom items folders it's still live in the recovery so you have to delete it three times

so no I do not have it going there I never even occurred to me I just rolled with the thought that if I delete it out deleted items it's gone well so that would be for version 2.0 we will put in that added a little step okay so for this one the code gets a little more complicated this I don't think this is a hundred lines it's a little more so what it does for the email to be the trigger it has to come from a specified email address and have a specified subject line doesn't matter what's in the body it's just looking for those two things so when you start your script running you have to let it know what that email

address is going to be that you're going to be coming from and what the party over there what the subject line is going to be if either one of the things doesn't match it will not trigger by default it monitors the Inbox but I did throw a switch in there that you can have it monitored the junk folder instead maybe you don't want emails to be popping up all the time saying that a sender sent an email especially since we're gonna be deleting them and it's kind of weird if you get a pop-up says hey you've got an email and then you look in the email and it's not there people notice that after a while so

maybe you would want to put a transport rule in that sets your SCL to automatically go to the junk folder I don't need any execution here I just need it to see the email so maybe you would want to do that use the junk folder instead nobody ever gets a pop-up life's good and honestly who looks at their damn junk folder anyways so so the deleted items folder is folder number three the junk folder is 23 and the inbox is six so I was completely wrong about the folder numbers before I had them all switched up that's why there's the internet so we can look these things up so what it's gonna do it's similar to what the last one did

it's gonna create a new comment that is Microsoft Outlook it's then going to set the folder to whatever folder we told it junk our rain box and then it's going to grab all the items that are in that folder ie the emails and save them in a variable called emails it's then going to take those emails one at a time and pass them across to the for each it's short for for each object so we'll look at each email individually and if the emails sender email address matches the sender mail or sender email that we set in the script and if the subject matches the trigger subject then the first thing we do is we set it to the unread field

we set that to false so it doesn't stick out as much in the Inbox so it looks like something they already looked at we then start process for whatever we designated the payload to be assume it's probably a reverse TCP payload it's just gonna call back out at that point it sets a variable called cleaned to false cuz it's gonna have to do this same process of looking through all the emails in the deleted items folder as well I don't want it to do that every time if it hasn't gotten a trigger email because that's just gonna burn Ram for no reason so as long as the clean variable is set to false it's gonna try

to clean up as soon as it switches it back to true it stops the cleanup part and only monitors that way we reduce our RAM usage by about 45% for the script overall all right so it deleted the email set the clean to false after that if cleaned is set to false then it goes through the following items so it deletes it out of the deleted items folder and then it sets the clean variable to true with the clean veritably being true this logic will not hit again until we get another trigger after that it's going to go into its sleep cycle so the sleep is in seconds you have to be careful with the sleep

cycle if you set it to too long the emails your triggers gonna sit there for a hot minute and it's likely to be noticed if you set it to too short though it's gonna just scan constantly and again it's gonna start to burn up Ram and I mean it's not a horrible burn but it you set that to like two or three seconds you can see the RAM load for the process getting up to about 25% which is a little bit heavy because think about it it's a while loop that's running forever and constantly scanning every single email it gets a little resource intensive alright okay so just like before we're gonna have to import the

module once it's loaded life should be good so I have the trigger in the junk in the junk folder at the moment so that it should scan and not see the trigger email and then when I move it to the inbox it should see it trigger off of it and call back so the new outlook trigger will set it with the sender email of bad user at malware comm you can send all these there's to send mail message command lit that lets you send emails to anybody as anybody I sent job offers to my co-workers from M Zuckerberg at FB comm was hilarious he almost quit but we're gonna set it with the email the

trigger subject to trigger and the payload is just going to be a calculator and I set the delay to two and then I tell it verbose so all those lines has had write verbose those don't do anything unless you run the command with a verbose switch in which case it displays it so it's searching sleeping searching sleeping it's just spinning through and as soon as I move this email over it shouldn't take long for it to there we go so it it goes through it pretty quick obviously it'll take a little longer if there's a lot of emails in the inbox because it has to look at each and every one of them

alright alright so the one problem that you're really gonna have here though is what is your trigger have to be every time that same sender's email address with the same subject line so first off at a certain point someone's gonna see the email and then see that it disappears that's not normal they might write it off once about the second or third time though they're gonna call the admin and say something's really wrong here additionally we're bound to that one email address so we might want to have some variety so my thought process was what if we took an email that was completely benign that a person gets all the time and we just didn't delete it

who here has a LinkedIn page yeah who here gets damn emails with BS job offers from some recruiter on LinkedIn like once a week so you don't think anything of them right you just delete them and move on what if that could be our trigger email that's the thought process I went to is to have a LinkedIn email be our trigger email so we're gonna make it dynamic so rather than filtering on the subject line or the email addresses at all we're gonna use the body of the email and not only is our email trigger gonna be able to be dynamic but also the port that it calls out to and the IP address all of

that will be inside the body of the email and we're gonna do it in a way that it's not gonna look suspicious the email is gonna look like a legitimate damn recruiter or spamming you trying to give you a LinkedIn job offer so what we're gonna need is three trigger words you want to make sure your trigger words are generic enough that they don't look weird you know you don't want to have word of the day toilet paper words in your email you know supercalifragilistic expialidocious or anything that's gonna seem strange you wanted to be calm enough words they're going to blend in on the other hand you need to make sure the three words are unlikely to show up in a

regular email cuz they might actually get an email from a LinkedIn person we don't want their email triggering our payload customers don't like that additionally it's gonna have to have a single number in it that falls within the port range the final thing we're gonna need is we're gonna put a URL in there that's gonna resolve to our callback IP address so you'll have to have a payload here I'd use just like MSF Fenimore something to prep a payload that doesn't have a callback IP or port but that requires these parameters be specified just not that hard to do and that way we can have the same payload call back to a different IP address

every time we get on so you didn't see that so the way we're going to do this I put a little bit of parameter control in here so I have a validate count to make sure that there's exactly three trigger words supplied you also have to tell it the delay and what the payload is and I left in that switch to monitor the junk folder if you wanted other than that everything will be in the body of the email so we're just defining the folders again starting that same comic that we started every other time and so here's what we do those trigger words that will be supplied by the user when they serve by us when we start the script they're

stored in an array so we'll just call them by our position in the trigger words array so if the body of the email matches trigger word zero and trigger words one and trigger words two so if it hits on all three of our trigger words it's then gonna process that email to figure out what it's supposed to call back to I can thank a co-worker for this regex because cole doesn't do regex hijacks and I do not get along we agree to disagree a long time ago but I assure you that top one is the regex for a URL the bottom one which is ridiculously long is the regex for a number that falls within the legitimate port range

god I hate regex so what we did is we took the body of the email and here we have a variable called formatted but equals the body of the email split on every space so essentially I took this big paragraph of an email and I broke it into a long array of words so we can look at each word individually to see if it matches our regex so for each section in formatted so for each single little block of characters between spaces if the section matches we're selecting the string that matches the pattern for our URL reg X if it matches that it'll save it in that variable and if that does not equal null then we're defining that as

our URL we're then doing the same thing we're going through and checking to see if it matches our port reg X and if so we're saving it as our port we then I just have a couple for both statements so I could troubleshoot it and make sure it was doing what I thought it was doing we're then going to try a dns we're just going to get a DNS lookup on the URL and once it's done we are going to set that IP address we're going to convert it into a string that can be fed to our payload and have it take off and do what we want it to do and then I took out the

part that would actually start the payload and instead I have it echo what it would trigger on and send it into a text document because that's easier for a demo than trying to do Wireshark and capture pcap to show what it called out to and after that it's just gonna start sleep for the random delay and then come back to the beginning so the benefit of this again is that you don't have to worry about anybody finding the email you'll notice there's no cleanup there I'm not gonna delete the email I'm gonna leave it sitting there as long as I'm not triggering on to the Box three times a week no one's gonna notice that one

extra email each week that is just crappy mail they might forward it on to IT and say hey one got past the spam filter but that's fine because they're just gonna filter it based on the sender's IP address that I'm not using anyways so I'll just pick a different one for the

all right so I went ahead for the IP address I just used my works email so Chiron techcom and for my trigger words I chose LinkedIn independent and cyber tack security because they all seemed normal I figured putting the tack in cybersecurity would make it my one that would be hard for somebody else to match because who the hell - eight cybersecurity Zephyr maybe a bad LinkedIn recruiter who I'm trying to emulate so there's our email it's got the three trigger words in it it's got the company URL in there and the best part is what has the same number of possible digits as support street numbers what's in everybody's signature block oh yeah their work address so I

just made a BS work address and whatever that street number is that's the port I'm gonna call out to so you can see that Chiron tech is 208 113 whatever it'll pop it up a second so we're starting it it's looking for those three trigger words and it's just gonna start notepad and resolve - Chiron tech and port 2700 because that's our street address I believe so searching and searching it's not finding anything so I'm gonna take my email come on there we go and we're gonna take our email move it to the inbox so now it should catch it and trigger on it the second alright it says it found the URL it discovered

the URL so now the payload will call out to 208 113 173 - I'm for 2,700 that's the port we wanted and that's the IP address we wanted because it matches the one I was intending to have it call out - yay okay so what's the only thing that's better than a good trigger able back door what if you don't have to get on the box at all there's some tasks that you're gonna have to do you're gonna have to get on the box to do you just that's the nature of the beast sometimes though it's just sort of sustained collection and you already know what directory you want to scrape or what information you're gonna

want to grab you just have to wait for it to show up so if you already know what commands you would run when you got on the box do you really have to get on the box or do you just have to email a script I went with email a script so I mean Outlook takes messages in it also sends messages back out so why not send our script via an email have it load the script execute it and run it for us and then output the results to a text file that it saves as an attachment and emails back to us that sounds awesome it sounds like I don't have to work as much

okay you can't just email a ps1 script doesn't work that way it makes outlook very suspicious it will get your email kicked to the junk folder and it just looks like bad juju the great part is how a shell doesn't care if it's a PowerShell script or just a series of commands that are fed to it so if you just change your PowerShell extension dot txt it's now a txt file it's no longer executable code outlook doesn't give a damn doesn't pop any flags and PowerShell can still process the commands just fine you can take them and feed it to it and it'll take off beautifully right so I like that it says the steps are fairly

simple and there's a big long list of steps so first thing we're gonna do is we're gonna monitor for that trigger email again I left it dynamic but you could set it to static if you were always going to come from the same one once it gets detected it's gonna save the attachment temporarily to disk I'm sure there's a way to scrape it store it in memory and have it says properly but I only tried to get it to work for about an hour and then I got angry and just saved it to disk and solve the problem it's gonna be on disk for literally a second and it's a text document they're not gonna find it and

even if they do they won't have time to open it before it goes away so once it's detected it'll save the attachment temporarily to disk I believe I put it in the temp directory and it's called tilde DF string and gibberish that there's always eight up in there anyways so it'll blend in beautifully once it writes it to disk it's going to save its contents as a variable and then delete it off the disk so again it's going to be there for a fraction of a second it's then gonna take that contents that's in that variable which is our script and it's gonna run the script and then save the output to another temp file this one has to be a

file because it's really hard to add a in-memory attachment doesn't work that way so it will then take those results and it's going to email them back to whatever email address sent them the trigger it's gonna save that email address as a variable and when it has the contents done it will then send it back to whoever sent the trigger in so yeh it'll then delete the trigger and the exfil emails and clean both emails out of deleted items folder

all right so most of this is gonna look really familiar again we're just creating that new comm object setting our folders specifying our trigger words to catch on at that point it saves the sender email address because it has to be saved later so it knows where to send the response back to it's then gonna grab that email and look at its attachments and for the attachment it's gonna take it save it to the current users environment in the temp folder as DF whatever dot txt it's then going to save it as a variable and then blow away the text file it's then gonna run PowerShell with the command of whatever saved in that script so again a

big long script it could be a thousand lines of code as long as it's fed to PowerShell via variable it'll take it run it it doesn't count as a script either it so it bypasses the script execution policy without having to provide a bypass it's then gonna take the results and put them out to the same temp folder with a slightly different gibberish it then defines that as a file and it's gonna have Outlook create a new item and set the subject and the body after I wrote all this I realized it probably would have been easier to just use the send mail message command lit to send the email back out with an attachment

and I could have done it in one line instead of ten more notes for version two and then it's going to do its typical cleanup all right so I didn't pick anything where's the thing I know it's right in front of my face oh it's right there okay so I didn't have to do anything super exciting I commented out the section that would clean up the emails in the script for the demo because well you wouldn't be able to see that it sent the email if it deleted it and think it up so I commented that out so that the evidence would still be there the script I sent isn't overly complicated I went with something simple

I just have it pull a running process list my three trigger words were Kitty dog and cheeky because I didn't feel like writing another long email at this point and again the email just has the get process command lit so it's gonna run get a list of the running processes save it to disk attach it to a new email that it sends out you're gonna notice something a little difference gonna happen on this one and it's gonna make a bunch of pop ups and we will discuss those pop ups and momentarily they're supposed to happen so there's a workaround so that the user doesn't actually have to click yes let something take over my Outlook that would make our

tool not so useful all right so it's searching it doesn't see a trigger email we move it to the Inbox it should fairly quickly yeah there's that little pop-up says hoes something's trying to access one of your emails do you want to allow this to happen I said yes let it do it okay it found the email it did all the processing and now it says wait a minute something else is trying to send an email as you do you want to allow this so we're gonna just tell it yes to let it process but then we will discuss the workaround so it should have sent an email now and so if we look in the sent

items there's our email if we open up the email and we open up the email there we go and open the attachment it should be a process listening yay so it did roughly what we wanted it to do alright so things that I would like to improve on there's no encryption in this it really at the moment so everything's going to be sent in the clear customers don't tend to like that so I would probably add some form of encryption for customer data before I send it out to the internet I'd also like to get it all into one script just have one mega script that did everything but that's down the road and again I want to put in

a switch to check see if outlook is running and if so let it run normal and if it's not to tell it to start it with it not being visible those are the only main additions and apparently deleting an email a third time should probably go in the list as well okay so I always hate when people give talks and like here's this cool thing they can own systems and then doesn't tell you anything about how to protect against it so here's how you can protect yourself for starters use a less crappy antivirus product so you guys pop-ups in the last demo the reason those pop-ups were there is that box didn't have an antivirus

product running as soon as a a V product registers certain changes take place so outlook naturally protects itself that's what those pop-ups are it's like wait this doesn't seem quite right are you sure you want to allow this to happen it's good it's what it's supposed to do as soon as an antivirus product registers and it shows up in root Simba to Security Center to I believe is the namespace that gets registered in as soon as something registers their outlook says oh I don't protect myself anymore there's a Navy here surely those are well coated so it assumes that the antivirus product is actually checking emails which as you can see I think the one that we used was Komodo which did a

horrible job so I wouldn't a lot of people say killaby's get rid of YZ no you need to have abs but you need to have one that doesn't suck maybe stop using the cheap one or the free one and actually pay a little bit of money for something and supposed to be protecting you other than that event logs the vent logs are absolutely your friend it has never been easier to be a defender than it is today I mean just three years ago it was so much harder to be a defender the Windows event logs have improved tenfold so for starters you need to obviously be auditing process creation and you should probably notice when power shells are

starting PowerShell has its own logging it should be used and turned on beyond what it's set to by default which is basically how our shells started our shell stops there's other auditing events that can be turned on there if you have Windows 7 or newer and you have the right security patch installed how many defenders do I have in here red teamers don't count as defenders ok do you know if your networks have command line included in their event logs so if you just have process creation logged the event log is going to say PowerShell XE started if you include the command line and it's just checking one little box it'll say PowerShell tak encoded

command and then the big blob of base64 code that you can switch back that shows exactly what the attacker did I mean it's insanely powerful anything that's done remotely is done via the command line so every single argument an option that gets passed this couldn't be written in that event log if you just check the one damn box it's gonna take up a little more storage but what's a one terabyte hard drive these days like 80 bucks I don't think we any longer have the argument that we'll it takes storage buy more storage it's not expensive PowerShell also has mandatory transcription so there's a command lift it started in PowerShell version 4 so if you're running Windows 7 this part is

not gonna work but if you're running Windows 10 it's got PowerShell version 5 by default this will work there's a start transcript command --let that records everything you type and everything that's returned to a text file well there's an auditing setting that makes transcription mandatory so it doesn't even tell the user it's doing it but it records everything that they type and everything that's returned and saves it off to a text file so that's only things that are typed in PowerShell so if you have someone using malicious power so in your network you will see every single thing that they typed all right so my obligatory shoutouts so for get outlook there was a scripting guy

article about exporting your calendar information that's what gave me the idea to scrape outlook so I borrowed that from him Matt Nelson came up with the original trigger script for the email so not the dynamic one but the standard trigger the one I have is very close to the one that he has on that exact webpage right there I just added some extra cleanup I deleted the emails instead of just leaving them in in the deleted items folder I cleaned up their Markham in some read a couple other little tweaks but I have to give him a shout-out for that because other than that he wrote most of that general code if you do want to have any of the code

samples to tinker with play with have fun with what have you they are on github at that address and that is all I can put that back yes to be able to create what Oh their comm object

yeah I don't I don't believe you'll I mean you create objects all the time as a regular user you shouldn't need to be administrator you should be able to do it as a default user yeah yep any other questions yes yeah yeah yeah you could I thought about putting it in the body of the email problem is I figured that would then be forever every scripts that I made would be on the exchange server if someone noticed if they started notice behavior and they started digging an email with no content in it that is somehow 3k can be a little fishy throw it in yeah ooh you can do that but if you have content and commands it

would be you'd have to do some funky juju to tell it where to find commands yeah you'd have to put something in there or say cut it off at this trigger word and below that word is your commands and scrape just that but yes that could absolutely be done you can unless it's a user like me who always does ship delete which case it'll never go to the lead at items folder yeah that's true yeah I always give way too much credit to the competence of the average American workhorse yeah I mean you can do it I mean part of it I mean you'd be using this for some form of like CTE action some red team's some cyber threat

emulation how far you go I guess depends on who you're trying to emulate I mean red teaming is not pen testing it's you're supposed to be emulating some form of attack and depending on your sophistication level you're trying to emulate make it a little harder make Italy's here but you could do that as well yes constrain language mode pretty much breaks everything however it also seems to piss off admins that use PowerShell and scripts for administration so it's one of those things that yeah it will it will I would almost guarantee that it would break this I don't know that for a fact but I believe it would break this I just haven't found many places that have

that because then the admins can't do their stuff either hands will always take accessibility over security any other questions you Oller all right yes to run a new transport rule yeah since you have to run that command on the exchange server any account that you got on there would have the privileges to add that transport rule assuming that okay I might be giving too much credit to the users again I'm assuming that your regular users don't have login permissions on your exchange server any account that's on the exchange server should be able to put the train support rules in place because if you're not an admin you should have no business being on the exchange server but whether

a regular user could do it I never thought to try yeah any other questions all right thank you for dealing with me [Applause]