Ruler - Pivoting Through Exchange

March 23, 2017 (at 11:30 a.m.) in Defense and Management

Microsoft Exchange has become the defacto gateway into most organisations. By nature, Exchange needs to be externally accessible, and usually falls outside of normal security monitoring. This can allow for the bypass of common security mechanisms. Even when organisations move into the cloud, their Exchange servers still provide access into the internal environment. It has been shown in the past that abusing the rules feature of Outlook, combined with auto-synchronisation through Exchange, can allow for Remote code-execution.

Furthermore, Exchange offers a covert communication channel outside of the usual HTTP or TCP employed by most malware. Using the mailbox itself, it is possible to create a communication channel that doesn't traverse the normal network boundary, and appears to be normal Exchange behaviour when inspected on the wire.

Introducing Ruler:

During our Red Team assessments, we saw an opportunity to utilise inherent weaknesses of Microsoft Exchange and create a fully-automated tool that aided further breach of the network. Ruler allows for the easier abuse of built in functionality, including the ability to execute code on every mailbox connected to the Exchange server.

This talk will showcase the numerous features of Ruler, demonstrating how to gain a foothold, pop shells on every connected mailbox, use Exchange as a covert communication channel and maintain a near invisible persistence in the organisation. We will also discuss possible defenses against the demonstrated attacks.

 Etienne Stalmans

Etienne is a Senior Security Analyst & Researcher at SensePost, with a keen interest in protocol reversing and finding ways to abuse functionality in everyday products. He completed a MSc in Network Security, focusing on Botnets and DNS. He has spoken at Botconf 2013, DefCon 23 and BSidesCapeTown, along with several academic conferences.