OutlookToolbox is a C# DLL that uses COM to do stuff with Outlook. Also included is a Cobalt Strike aggressor script that uses Outlooktoolbox.dll to give it a graphical and control interface.
Often, critical information is stored in Outlook. Files and information are sent via email or Lync conversations. Additionally, each email address within the organization represents an implied trust, threats will use or exploit this to achieve their goals. Programmatic access to Outlook can be controlled which would negate this vector, unless the user actively permits access.
- Only use for good.
- I have not done extensive testing with the tool, use at your own risk. I recommend spinning up a replica of your target to test and get a feel for it first.
- The Aggressor script has several has brm function calls with user input. These can bulldoze directories if input is not sanitized correctly. I've done stress testing so the script should be okay but keep it in something like Users\Public\Documents just to be safe.
What it does
- Lists folders in Outlook (Inbox, Sent Items, Conversation History, Joe's Custom Folder ... )
- Exports target folder to a CSV File
- Enumerates targets using the GAL
- Download specific messages
- Sends email on behalf of the target user
- Windows 10 x64 Outlook x64 (NET4.5 version)
- Windows 7 x64 Outlook x86 (NET3.5 version)
How to prevent
Configure Outlook's programmatic access security to report on suspicious activity - https://msdn.microsoft.com/en-us/vba/outlook-vba/articles/security-behavior-of-the-outlook-object-model. For this tool, email encryption, but there will be a way around this.
I've used so many resources developing OutlookToolbox and Aggressor script and I've tried to reference such in the C# code. For the Aggressor script I relied heavily on the following:
If an approach looks similar to something you've done and you want to recognition, drop me a line and I'll list you. This is my first published project in github, if I've made any mistakes please let me know. Thanks!
I've created a NET3.5 and NET4.5 project for Windows 7 and Windows 10 respectively. The NET3.5 uses UnmanagedExports (https://www.nuget.org/packages/UnmanagedExports) to export methods so the DLL can be run by rundll32 or another calling application if you choose to create. Unfortunately, I was not able to get UnmanagedExports to work in a NET4.5 project so ended up rolling with DLLExport (https://github.com/3F/DllExport). Note, I've seen other posts mention that UnmanagedExports works with NET4.5 so the issue is on my end.
How to build
For NET3.5 (Done with VS2017)
- Open the solution
- Configure the project to x86 Release
- Install UnmanagedExports
- Tools -> Nuget Package Manager -> Package Manager Console
- Install-Package unmanagedexports
For NET4.5 (Done with VS2017)
- Open the solution
- Configure the project to x86 Release
- Install DLLExport (https://www.youtube.com/watch?v=okPThdWDZMM)
- Namespace: System.Runtime.InteropServices
- x86 Checkbox
- Generate .exp + .lib vis MS Library Manager. Do NOT check Use our IL Assembler
- You might get an Export warning, don't worry about that.
Rundll32 OutlookToolbox_NETxx.dll,SampleSanity. This should generate a file called SanityCheck.txt in the same directory. This is a call to OutlookToolbox's error checking and no-popups method.
I recommend using with some sort of script or application to control function calls. Something like rundll32 OutlookToolbox.dll,EnumerateFoldadders will generate a popup, it's better to handle with a script or application to avoid typos.
- rundll32 OutlookToolbox.dll,SampleSanity
- Runs OutlookToolbox's Error and no-popup function
- The output will be in SanityCheck.txt
- rundll32 OutlookToolbox.dll,EnumerateFolders
- This will export root and child folders to OutlookFolders.txt
- rundll32 OutlookToolbox.dll,FolderToCSV TargetFolder
- This will export target folder to TargetFolder_Export.csv
- Example: rundll32 OutlookToolbox.dll,FolderToCSV sent items
- rundll32 OutlookToolbox.dll,EnumerateTarget TargetUser
- This will export target details (name, username, email address, manager, coworkers, etc)
- This will export details to TargetUser_Enum.txt
- Target user can be full name, username, or email address, it attempts to resolve against the GAL.
- Example: rundll32 OutlookToolbox.dll,EnumerateTarget Joe Smith
- rundll32 OutlookToolbox.dll,DownloadMessage TargetFolder SearchCriteria SearchString
- This will export a collection of emails in .msg format
- Target folder is something like inbox, sent items, conversation history etc.
- Search criteria is either senderemail or index
- Senderemail is what you think ... download all messages that came from that email address
- Index is a number of the email which can be found in the FolderToCSV .csv
- Search string is the email address or index
- If senderemail is used, all the emails will be exported to searchstring.zip
- If index is used, the single email will be exported to searchstring.msg
- Example: rundll32 Outlooktoolbox.dll,DownloadMessage inbox senderemail firstname.lastname@example.org
- rundll32 OutlookToolbox.dll,EmailPivot MSGFile mute
- This will send an email on the user's behalf
- If some sort of email encryption client is used, this could generate a popup
- MSGFile is a .msg file that you will generate
- Mute will create an Outlook rule to send replies from the target recipient to the Deleted Items folder
- Obviously keep track of where you do this ... you will have to manually remove these at the end of the engagement
- Example: rundll32 OutlookToolbox.dll,EmailPivot testmessage.msg mute
OutlookToolbox's error and no-popups checks for the following:
- If Outlook is installed
- Attempts to find ObjectModelGuard registry key at a number of locations (Programmatic Access Security). I've seen this key stored at different locations, there is a very real chance that the key might be in a place where OutlookToolbox doesn't look. If the return is null OutlookToolbox will not run ... better to not run than generate a popup.
- OutlookToolbox will count the number of Outlook processes, if that number is anything besides 1 the program will stop. If Outlook is not running a little Outlook icon will popup in the notifications area, not noisy but still a popup.
- OutlookToolbox needs to be run at the same integrity level as Outlook, if there is a mistmatch the program will stop. Again, if you want to run the function, call SampleSanity, it should be opsec friendly.