Find out more about shadow AI and the risks of leaving it uncovered.
The post Shining a Light on Shadow AI: What It Is and How to Find It appeared first on Security Boulevard.
Our teams are always hard at work improving the TrustCloud platform. Here are this month’s biggest updates. Introducing our ServiceNow integration! This is a bidirectional integration with ServiceNow to pull ticket details into TrustCloud. Teams can create new ServiceNow tasks in TrustCloud and attach ServiceNow links as evidence to your tests. The integration also supports […]
The post TrustCloud Product Updates: August 2024 first appeared on TrustCloud.
The post TrustCloud Product Updates: August 2024 appeared first on Security Boulevard.
Specula is a framework that allows for interactive operations of an implant that runs purely in the context of Outlook. It works by setting a custom Outlook homepage via registry keys that calls out to an interactive python web server. This web server serves custom patched vbscript files that will execute a command and return a string response. This is not a completely new concept, other public tools have existed before that take advantage of the vbscript capability within outlook to perform attacks.
One of the unique features of Specula outside of running entirely within Outlook is its ability to load and execute XLL Files. Once an agent has been hooked the malicious xll can be staged and executed via execute_registerxll.
In this blog we are going to break down using an XLL file to launch an application using Specula C2 and Outlook. Some of the logs shown in this blog will be truncated to show the important parts for brevity.
Hooking AgentsTo hook an agent, all you need to do is to create the registry REG_SZ value of URL under HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Inbox and add the value pointing to your validation url on the Specula server.
Hooked Registry KeysThere are a few settings that are preferable to add/adjust in order to avoid issues with ActiveX. To generate a full reg file with all the recommended settings you can, from the root of the Specula menu, run generatehooker and it will show you the reg file you can copy over to an Windows client with Outlook on and import it. For the registry key to take effect, you will need to stop Outlook if it is running and restart it.
XLLAn XLL (Excel Add-In) is a type of dynamic link library (DLL) specifically designed for use with Microsoft Excel, providing a way to extend Excel’s built-in functionality by adding custom functions, commands, and toolbars. Like DLLs, XLLs are compiled libraries that can be loaded into Excel, integrating seamlessly to create custom functions that behave like native Excel functions. Written in low-level programming languages such as C or C++, XLLs offer better performance and efficiency compared to VBA (Visual Basic for Applications) macros. They can also call Excel’s C API, allowing for deeper and more complex interactions with Excel. Additionally, XLLs can be distributed and deployed as standalone files, making them easy to share and install across different systems.
These files are basically DLLs with specific function names.
So to quickly recap. A victim running Outlook is hooked via a reg file containing specific registry keys for an Outlook homepage pointing at the Specula Server. Once hooked and approved the malicious xll is staged.
XLL Upload via Specula C2Once staged the execute/host/execute_registerxll module is executed with an input of our staged xll file. This will launch an Excel COM object, load, and execute the malicious file. This can essentially perform any action that a typical DLL can without utilizing typical DLL methods of loading.
Execute XLLSuccessful execution can be checked via the data command
Successful Execution Logs and Detection Opportunities Registry HookAs mentioned, the first thing that will happen when using Specula C2 is the agent hooking via the registry. The framework achieves this by modifying specific registry keys related to Outlook’s web view and homepage settings, redirecting them to the C2 server controlled by the attacker.
When an Outlook user opens a specific folder (like Inbox, Calendar, or Tasks), Outlook queries the registry to determine if a custom homepage or web view has been set for that folder. This HTML page allows execution of VBScript or JScript within a privileged context, granting nearly full access to the local system, similar to running scripts via cscript or wscript.exe.
The ability to abuse the Outlook home page was reported as CVE-2017–11774. The Outlook home page was believed to be patched, however, even though the UI elements used to set this was disabled the registry values can still be changed manually.
Since this is registry modifications it can be captured with Sysmon EventID 13.
...You will want to look for the URL being set in the following Registry Keys:
Software\Microsoft\Office\*\Outlook\TodayIf you have network insights, tools such as Zeek offer some detection opportunities around the agent registration. Specula will make a web POST to the /plugin/search uri by default. This will contain a base64 encoded payload containing the hostname and username.
bytes: 58The xll file that will be executed needs to be staged locally. This is usually accomplished via the put_file function of Specula. This will generate a File Creation event for the XLL File by the Outlook process. The location is determined by the attacker but looking for any xll files created by Outlook will highlight this activity.
Provider Name: Microsoft-Windows-SysmonWhen Outlook goes to execute the XLL, it will launch an instance of Excel using the Office COM Objects. This will cause svchost.exe to launch Excel with /automation -Embedding arguments. You can find this activity by looking for process creation events. Outside of just Excel being launched, you can use this to identify other suspicious executions of Office products.
CommandLine: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -EmbeddingLooking at the process graph you won’t see a connection to Outlook as the originator of the activity because of the way it uses these COM Objects.
Process Graph of XLL Execution XLL LoadFinally the Excel Object will load and execute the XLL Add-in from the uploaded location. This shows up in Image Loads (EventID 7).
EventDescription: Image loadedExcel loading an XLL is in itself not necessarily malicious. However, you can hunt for this and narrow it down to unusual locations such as Temp or Public folders.
For more logs and details on this and other Specula C2 activity, check out the collection in our platform: Specula.
MitreT1137.004 — Office Application Startup: Outlook Home Page
Adversaries may abuse Microsoft Outlook’s Home Page feature to obtain persistence on a compromised system.
T1559.001 — Inter-Process Communication: Component Object Model (COM)
Adversaries may use the Windows Component Object Model (COM) for local code execution.
T1059.005 — Command and Scripting Interpreter: Visual Basic
Adversaries may abuse Visual Basic (VB) for execution.
T1071.001 — Application Layer Protocol: Web Protocols
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
T1112 — Modify Registry
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
T1203 — Exploitation for Client Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
In summary, Specula C2 represents an advanced and innovative approach to conducting interactive operations entirely within the context of Microsoft Outlook. By leveraging custom Outlook homepages and registry modifications, Specula enables seamless command execution through a Python web server. Its unique ability to load and execute XLL files further enhances its versatility, allowing for sophisticated attack scenarios. Understanding the techniques employed by Specula, such as registry manipulation and COM object utilization, is crucial for strengthening cybersecurity defenses.
SnapAttack is the threat hunting, detection engineering, and detection validation platform for proactive threat-informed defense. Register for a FREE community account to access the tons of content included in this blog post, as well as thousands of other community detections. Subscribers also get advanced features like a no-code detection builder, one-click deployments to leading SIEMs and EDRs like Chronicle, Sentinel, Splunk, CrowdStrike and SentinelOne, advanced threat profiles to prioritize relevant threats, and customized reports that track MITRE ATT&CK coverage and more!
ResourcesHunting Specula C2 Framework and XLL Execution was originally published in SnapAttack on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Hunting Specula C2 Framework and XLL Execution appeared first on Security Boulevard.
via the inimitable Daniel Stori at Turnoff.US!
The post Daniel Stori’s ‘Linux Top Explained’ appeared first on Security Boulevard.
Artificial Intelligence (AI) is revolutionizing healthcare, and its impact on patient experience is nothing short of transformative. According to a study by Accenture, AI applications...Read More
The post The Role of AI in Enhancing Patient Experience in HealthTech appeared first on ISHIR | Software Development India.
The post The Role of AI in Enhancing Patient Experience in HealthTech appeared first on Security Boulevard.
In today’s digital world where availability and security are of the utmost importance, time is of the essence. We know how important it is for our customers to get up and running with the solutions they chose from AppViewX as quickly as possible. At AppViewX, we’re more than just a software company, we’re also a […]
The post The AppViewX Experience: A Journey to Seamless Solution Onboarding appeared first on Security Boulevard.