Outlook Home Page Abuse (Specula)
Theory
Specula is a framework designed to enable interactive operations of an implant within the context of Outlook. It achieves this by setting a custom Outlook homepage via registry keys that call out to an interactive Python web server. This web server serves custom patched VBScript files that execute a command and return a string response.
Despite the belief that the Outlook home page functionality had been patched (CVE-2017-11774), it was discovered that the associated Registry values continue to be utilized by Outlook, even in current Office 365 installs.
To establish a C2 channel, an attacker can modify a single non-privileged Registry key, creating the REG_SZ
value of URL
under HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Inbox
and pointing it to the validation URL on the Specula server:
Practice
You can use IP addresses, but a recommendation is to use a DNS record. In this example we are going to use DNS. Start by pointing a DNS record towards your public IP of the server you will be using as a Specula server. Let us pretend that we created an A-record named demo.specula.com with the value of our public IP.
HTTPS
If you are planning to use SSL (Recommended) you will need to request the certificates. This guide shows how to do that with free let's encrypt certificates. We first need to install certbot:
Next you want to make sure that you have allowed inbound communication on port 80/443. Then we request a certificate using the example of demo.specula.com (change this to your environment):
This will produce certificate files so note down the paths to them, since you will need to reference them when starting Specula for the first time. In our example we want to keep these lines:
The path to fullchain.pem will be the input when Specula asks for the cert_file as part of the startup and the privkey.pem will be to the key_file.
Setting up Specula
First you should install a python virtual environment. You can of course install to the global package root, but this can cause issues that are later hard to diagnose.
If you're unfamiliar with python virtual environments and just want to know what to type a basic install would look like
Starting Specula
Since this is the first time you are starting Specula it will ask you for a variety of options, which will then be stored and used for future runs. The settings will be stored in a file called specConfig.ini. If you ever want to reset your settings and start over this file can be removed.
Resources
Last updated