Owning MS Outlook with PowerShell was a talk by Andrew Cole (@colemination) at BSides Augusta 2016 held at Augusta University in September and serves as our feature presentation in this "spooky" October post covering three presentations about modern malware attacks and defense techniques. Cole presentation this talk previously at NolaCon 2016 and as recently as a few days ago at BSides Delaware, so you may run into it again at future security conferences. Before you dive in, it's worth noting this presentation focuses on technology more than policy, but his website [http://www.colemination.com/] has extra information about the basics of using Windows PowerShell that provides some extra context for folks who are less familiar with this topic.
The first (prerecorded) live demo starts 10 minutes in, and if you have any questions about why this researcher targeted Microsoft Outlook, that's all covered in the preceding introduction. There are additional demos at 24:00, 33:00, and 39:00 minutes; however, the screen recordings are somewhat difficult to follow due to the multicamera setup this conference used. You really need to watch the entire thing from start to finish to get the full effect and understand all of the different ways combining PowerShell with Outlook can open the door for an attacker. For example, did you know it's possible for PowerShell to monitor not only the message body of incoming e-mails in a given inbox but also the user's junk mail folder? This is just one way an attacker could trigger malware to "wake up" or "call back" another system. In the video, Cole uses the example of fake zip codes in spam messages as a way to relay open port numbers.
If you only have time to watch one portion of this talk, start at 41:37. This is where we get more information about malware defense in light of PowerShell's capabilities. The biggest and perhaps boldest claim in this section is that uninstalling antivirus software is the best way to protect against these attacks, because Outlook suppresses a number of pop-ups that would normally occur when it sees antivirus is already installed (as seen in the last demo at minute 39). Might be worth testing that out for yourself.
As you may have guessed, this closing thought about how the presence of antivirus software in some systems could "soften" Outlook's built-in security defense in Windows is part of the reason why we're watching this video in October. That's kinda scary, no? Also take into account the fact that polymorphic code and metamorphic code are already two common ways that malware coders attempt to avoid antivirus detection. "That's OK," you might say, "our machines are constantly getting antivirus definition updates." But I'm afraid it's not that simple. If that's your mindset, take a peek at the following two talks first, then go back to see how easy it is to "own" Outlook using PowerShell. All of this automated background activity and data collection in PowerShell could go undetected on your network for weeks, if not months.
[https://www.youtube.com/watch?v=kxixWzD3tBk]
If you trust the often cited statistics at VirusTotal.com, the first 10–15 minutes of Alex Long's presentation at Blackhat last year, Graphic Content Ahead: Toward Automated Scalable Analysis of Graphical Images Embedded in Malware and Jon Bambenek's Building an Encyclopedia of Malware Configs (to punch miscreants) should provide enough data to see the biggest problem isn't necessarily the complexity of malware code, but the sheer volume created every day on a global scale.
Hopefully this Halloween themed post hasn't scared you away from PowerShell entirely. It's important to keep in mind that although we've seen some examples of malicious use in this post, this Microsoft utility is not necessarily something you want to automatically disable on every machine. Instead, many guides suggest going with a more granular approach. In closing, here is a short list of guides with more information about using PowerShell for blue team activity:
- Get-EventLog (Microsoft Developer Network)
- Greater Visibility Through PowerShell Logging (FireEye)
- Intrusion Analysis Using Windows PowerShell (SANS Institute InfoSec Reading Room)
Chris Markman has been blogging about technology since 2008, first as a volunteer for the Participatory Culture Foundation and later as an MSLIS student at Simmons College and MSIT student at Clark University. Prior to joining the Academic Technology Services team at Clark University in 2014, he managed a film and music library in the Visual and Performing Arts department. Markman is a member of the New England Archivists professional group and several artist collectives in the city of Worcester, Massachusetts.
© 2016 Christopher Markman. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.