When conducting Red Team operations, especially in EDR, and ever more so XDR environments, it is critical to conduct pre-phishing to ascertain the lay of the land before sending in malicious payloads.
Similarly, while many clients are happy to provide details used for Environmental Keying, it is always useful to be able to prove that you can find this information yourself, especially when conducting attacks against Zero Trust networks, and organisations that are using Microsoft 365 and AzureAD.
With AzureAd and Zero Trust - Environmental Keying delivers new challenges which SharpInfo seeks to resolve.
This technique draws heavy inspiration from @truekonrads and his EvilPostman C2 over SMTP, our favorite (in terms of technical approach) APT; APT Turla, and Threat Intelligence highlighting the increased use of XLL Addins.
This blog post will briefly outline an approach and then share a tool that you can use to weaponise the same kind of information gathering attacks.
In the past many have relied heavily on Microsoft Word and VBA macros. However with Microsoft finally clamping down on this it was time to find other avenues.
We have spent a bit of time getting to know XLL Add-Ins and given the ability to use .NET to develop it, this sat well with my skillset so came up to speed pretty quickly.
An overview of XLL files:
An XLL file is an add-in used by Microsoft Excel, a popular spreadsheet application. It contains extra functions, templates, or other tools that enhance the capabilities of Excel. Examples of add-ins include custom chart generators and template managers.
Having developed a number of tools in XLL for vatrious functionality, SharpInfo was developed as an information gathering payload.
While I briefly toyed with the idea of doing something similar to Matterpreters' SHAPESHIFTER approach, in the end i decided that i was not going to try and discover what functions were hooked, but rather what processes were running, what environmental variables were set, and then enumerate the UserUpn which will provide me with the AzureAD domain as par of the email address and the USERDNSDOMAIN.
I also didn't like the concept of exflitrating the gathered system information over HTTPS or even DNS.
Therefore I settled on developing an XLL AddIn, gathering system information, and then using SMTP to send the information outbound.
Essentially the way the process works is the following:
- XLL Addin opens, then AutoRuns
- A few functions run that gather running processes, gather information from environmental variables, then enumerate the UserUpn and USERDNSDOMAIN
- Next it will Interop with Outlook, send an email to an account I specify before compiling, then delete the email
- The information is actually transmited as a part of the email headers, base64 encoded and AES encrypted (thank you @truekonrads)
- An error message box follows and exits
Open Source Tooling: SharpInfo
We have decided to share this code publically, having reworked the code, and implemented a number of variable, function, namespace randomzing functions when compiling the final Add-In using the console application. Given that you have .NET Framework v5 installed alongside Visual Studio 2019 & Build Tools - you can generate your own XLL information gatherer for use in engagements.
You can find the code shortly to be commited to our Github.