Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
BadOutlook for C2
BadOutlook is a command and control (C2) technique that leverages Microsoft Outlook’s COM interface for communication.
There are a handful of ways to detect malware, including antivirus (AV), endpoint detection and response (EDR) and network analysis. As a result, researchers spend a lot of time looking for ways to evade AV and EDR detection, from unhooking to the usage of more exotic API calls. This is in addition to research looking at new ways of defeating network detection techniques and finding evasive communication channels. With respect to network evasion, much public research explores the usage of websites, custom protocols and so on. What is the constant in these situations? Implants (i.e. your malicious code) either opens a port on the target system or makes outbound communication to the command and control servers. One technique rarely explored is C2 without direct network communication. The challenge now becomes how to send commands to our implant without having to communicate with it directly.
According to Microsoft, the Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's Object Linking & Embedding (OLE) and ActiveX (Internet-enabled components) technologies. In other words, COM is simply a way for two programs to talk to each other. Have you ever embedded an Excel spreadsheet inside of a Word document? This is a common scenario in which COM was designed to perform. Numerous Microsoft products possess COM interfaces that allow other applications to interact with them. This includes Word, Excel and the subject of this blog, Outlook.
Outlook has a COM interface which, according to the documentation, “Represents the entire Outlook application.” The Outlook COM interface allows programs to do anything from checking mailboxes and calendars to sending emails. To state this simply, anything an end user can do in the main graphical user interface (GUI), can also be executed through the COM interface. This post explores how I built an implant that monitors the Outlook client for C2 instructions while not requiring external (e.g. Internet) communication to operate.
BadOutlook leverages the COM interface to poll the specified Outlook folder at a predetermined interval. In this example, we poll the Inbox folder every 10 seconds to look for the subject line “testtesttest2.” Once BadOutlook identifies the triggered subject line, it will read the content of the email body containing base64 encoded shellcode and execute it. This proof of concept within itself is not intended to be fully evasive, but rather is a new method that can be utilized in your malware development.
Additionally, Matthew Eidelberg’s research can be used to execute this technique evasively. Below you can find screenshots of the tool in action:
Figure 1: Polling the Outlook Client for the Trigger Subject Line
Figure 2: Email Containing the Trigger Subject Line and Base64 Encoded shellcode
Figure 3: Trigger Email in Inbox Awaiting Execution
Figure 4: Trigger Email and Shellcode Executed Resulting in an Interactive Command Prompt
Given the functionality available in Office products, its possible for adversaries to leverage Outlook's COM interface in attacks for extended persistence. As the implant does not require traditional outbound communication for its instructions (e.g. POST calls), blue teams may struggle with network-based detections. Outlook does produce an alert when outside programs attempt to leverage the COM interface and access Outlook. Organizations should consider configuring rules or checks to identify instances where the registry key exists to disable this alerting functionality.
Copyright © 2022 Optiv Security Inc. All rights reserved.
No license, express or implied, to any intellectual property or other content is granted or intended hereby.
This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.
Complaints / questions should be directed to Legal@optiv.com
February 03, 2021
Even when the hooks are removed, defenders can still leverage other EDR functions, such as host isolation for incident triage or remote.
June 19, 2020
Talon automates a password guessing technique targeting Kerberos and LDAP within the Windows Active Directory environment.
November 04, 2020
How to use Power Automate flows and Azure runbooks to tear down Azure resources and reply to emails – Dan Kiraly explains in part 7 of the series.
Let us know what you need, and we will have an Optiv professional contact you shortly.