Specula

Specula at its core is a C2 framework that operates via the Outlook home page feature. This is not anything specifically new, as other tooling exposes the functionality to create a home page that can attack this vector. The ability to abuse the Outlook home page was reported and listed as CVE-2017-11774. With that being the case, the Outlook home page was thought to have been patched in Knowledge Bases (KBs) listed under https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11774. After the KB is installed, the UI elements related to Outlook's home page will be gone. This leads one to believe the associated functionality has been removed. Unfortunately, the Registry values that would have been set when the removed UI elements were used still get used by Outlook, even in current Office 365 installs.

Microsoft outlines this workaround to the missing UI elements. If an attacker can modify a single non-privileged Registry key, a C2 channel can be established despite it being thought to be a patched technique.

TrustedSec has been able to leverage this specific channel for initial access in hundreds of clients despite the existing knowledge and preventions available for this technique. For those reasons, we are releasing a cut-down version of our tooling to bring attention to this vector and hopefully close it for good.

How to Get Specula

Option 1
To download Specula, type the following command in Linux:
git clone https://github.com/trustedsec/specula

Option 2
View on Git.

How to Get Help with Specula
For bug reports or enhancements, please open an issue on this projects GitHub page.