Full Report
Getting access to an internal network is always great, keeping this access can be a whole other challenge. At times we want to fly below the radar and ensure our access doesn’t get detected or blocked by traditional network based solutions. To this end, communicating directly through an Exchange server can be very beneficial and solve both challenges. Technical details Ruler provides us with a means of getting a shell on an internal network. This is all done through Exchange and ensures our “trigger” for getting a shell back is usually only an email away. To a large degree this gives us the desired persistence we may want, however, we are still dependent on our traditional communication channels, be it DNS, HTTP(s) or TCP. This means our tools can need to traverse the traditional network boundary, aka, the web-gateway. Defenders place all their in-line defences here and should be able to detect and block our traffic. Exchange usually falls outside of this monitoring, as it should only be sending and receiving email. Sure there can be DLP and in-line scanning for malicious mail attachments, but this is usually aimed at the actual email messages. Do you have or have you seen in-line inspection of the Exchange/Outlook transport? Not the IMAP/SMTP traffic, the MAPI/HTTP or the RPC/HTTP channel that external Outlook clients use to communicate with the Exchange server. In my experience, the answer is usually no, there is no inspection of these transports.
Analysis Summary
# Tool/Technique: Liniaal (Extended via Ruler)
## Overview
Liniaal is a custom C2 framework extension, built upon the **Ruler** tool, designed to establish a stealthy, persistent communication channel with an internal compromised host by exclusively using the Microsoft Exchange server's MAPI/HTTP or RPC/HTTP transport protocols. This circumvents traditional network-based defenses (like web gateways) by piggybacking on legitimate Outlook synchronization traffic, utilizing hidden folders within the user's mailbox to store command and control data.
## Technical Details
- Type: Tool (C2 Framework Extension/Transport Layer)
- Platform: Windows (Requires Powershell agent utilizing Office Interop assembly)
- Capabilities: Establishes C2 persistence by reading/writing messages to hidden folders on the Exchange server; leverages existing MAPI/HTTP or RPC/HTTP channels; operates under the guise of legitimate Outlook traffic.
- First Seen: March 2017 (Public disclosure date)
## MITRE ATT&CK Mapping
The core function described relates to maintaining an established C2 channel, focusing heavily on exfiltration/ingress/egress that avoids typical inspection points.
- **TA0011 - Command and Control**
- T1090 - Proxy: Multi-hop Proxy (The Exchange server acts as an implicit intermediate point)
- T1071 - Application Layer Protocol: Web Protocols (Leverages MAPI/HTTP or RPC/HTTP, which rides over HTTPS)
- **TA0008 - Lateral Movement** (If initial access is assumed)
- T1021 - Remote Services (Related to the transport mechanism used by Outlook)
- **TA0003 - Persistence**
- T1533 - Data from Local System (The mechanism relies on persistence via mailbox state)
## Functionality
### Core Capabilities
- **Exchange-Based C2:** Establishing communication exclusively via MAPI/HTTP or RPC/HTTP (the transport mechanisms used by external Outlook clients).
- **Stealth Communication:** Bypassing web gateways and inline security solutions that typically inspect SMTP/IMAP or standard web traffic, as these MAPI/HTTP/RPC/HTTP channels are generally not inspected.
- **Data Staging:** Creating and reading command messages stored within *hidden* Exchange mailbox folders, which are not visible in the standard Outlook or OWA User Interface.
- **Persistence Trigger:** The shell/agent check-in is triggered by reading the staged message from the hidden folder, effectively making the persistence tied to the mailbox state.
### Advanced Features
- **Leveraging Existing Tools:** Extends the functionality of the **Ruler** tool by adding custom MAPI Remote Operations necessary for folder management, message reading, and message deletion.
- **Empire Integration:** Custom listener and agent created for the **Empire 2.0** framework to handle the specific logic for generating the launcher and agent capable of communicating via the Exchange transport.
- **Low and Slow Operation:** Configurable check-in intervals (e.g., once per day/week/month) to maximize stealth.
- **Transport Encryption:** Communication is inherently wrapped in HTTPS (MAPI/HTTP) and potentially encrypted via NTLM (RPC/HTTP).
## Indicators of Compromise
The indicators are heavily focused on the *environment* and *behavior* rather than traditional malware files since Liniaal relies on the legitimate Exchange infrastructure and valid user credentials.
- File Hashes: N/A for the transport component itself; depends on the initial implant stager.
- File Names: N/A (Agent runs in memory or uses standard system functions).
- Registry Keys: N/A
- Network Indicators: All traffic appears as standard Outlook synchronization traffic over HTTPS/ports utilized for MAPI/HTTP or RPC/HTTP.
- Behavioral Indicators:
- Use of valid user credentials to access Exchange services outside of expected application context (e.g., PowerShell interacting with MAPI operations).
- Creation or manipulation of unknown/hidden folders within a user's Exchange mailbox structure via connected clients.
- Suspicious pattern of MAPI synchronous calls originating from a host that doesn't typically run Outlook for that user.
## Associated Threat Actors
The tool was released publicly by SensePost (specifically Etienne). Use by major established threat actor groups is not specified in the context, but the design is highly applicable for advanced persistent threats (APTs) seeking low-and-slow internal communication.
## Detection Methods
Since this method avoids traditional C2 channels, detection must focus on the Exchange transport layer interface:
- **Signature-based detection:** Unlikely for the C2 traffic itself, as it mimics legitimate traffic. Signatures might apply to the initial Empire stager/launcher.
- **Behavioral detection:** Monitoring MAPI/HTTP or RPC/HTTP traffic patterns for anomalous behavior, such as an endpoint querying or writing messages to hidden mailbox folders programmatically.
- **Auditing:** Monitoring Exchange server logs (e.g., IIS logs for MAPI/HTTP requests) for unusual command sequences or rapid message processing that defies normal user interaction patterns.
## Mitigation Strategies
1. **Network Visibility:** Implement deep packet inspection or endpoint monitoring capable of analyzing the payload content traversing the MAPI/HTTP or RPC/HTTP channels, even within the HTTPS/encrypted layer, if possible (e.g., TLS inspection at the gateway).
2. **Credential Security:** Strong credential hygiene and rapid detection of compromised credentials, as valid credentials are a prerequisite. Employ MFA where possible.
3. **Application Control:** Restrict the execution of components like PowerShell that use Office Interop assemblies unless absolutely necessary for the user role.
4. **Principle of Least Privilege:** Ensure the compromised user account has only the minimum necessary permissions on the Exchange server for email management.
## Related Tools/Techniques
- **Ruler:** The underlying library used to interact with Exchange via MAPI/HTTP/RPC/HTTP.
- **Empire (v2.0):** The primary C2 framework extended by Liniaal.
- **Innuendo Outlook Channel:** Previous technique mentioned that relied on actively sending emails via SMTP, whereas Liniaal focuses on the internal transport layer to avoid sending external emails.