# Enail Hunter
Copyright (C) 2023 F. Brezo ([@febrezo](https://mastodon.social/@febrezo))
[![License](https://img.shields.io/badge/license-GNU%20General%20Public%20License%20Version%203%20or%20Later-blue.svg)]()
![Welcome screen](img/hi.png)
## Description
Another package to analyse emails to find potential threats.
It has been originally developed as a PoC for fun to do some work on MSG parsing and identify potential indicators of compromise of [CVE-2023-23397](https://msrc.microsoft.com/update-guide/en-EN/vulnerability/CVE-2023-23397) in those files.
Note that if you are looking for fast detection you might be interested on trying [specific Yara Rules](https://github.com/Neo23x0/signature-base/search?q=cve-2023-23397&type=commits).
## License: GNU GPLv3+
This is free software, and you are welcome to redistribute it under certain conditions.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
For more details on this issue, check the [COPYING](COPYING) file.
## Installation
This package can be installed from [PyPI](https://pypi.org).
```
$ pip3 install email-hunter
```
For local development, you can clone the repository and install it manually on your system:
```
$ git clone https://github.com/febrezo/email-hunter
$ cd email-hunter
$ pip3 install -e .
```
## Usage
The Python package will install a CLI tool to interact with locally downloaded files or folders.
```
usage: email-hunter -i LOCAL_PATH [LOCAL_PATH ...] [-o LOCAL_PATH] [-l LOG_LEVEL] [-h] [--version]
Launch Email Hunter CLI.
options:
-i LOCAL_PATH [LOCAL_PATH ...], --input LOCAL_PATH [LOCAL_PATH ...]
The files or folders to analyse. If the location is a folder, all the files in the folder will be processed. Note that several paths can be provided.
-o LOCAL_PATH, --output LOCAL_PATH
If present, an output file will be generated with the results. Note that thif the extension is ".csv", the output will be created as a CSV file. Otherwise, the output will be a JSON
file. If no value is provided, the output will be displayed as in the console.
-l LOG_LEVEL, --log-level LOG_LEVEL
It sets the log level for the application. Possible options: DEBUG, INFO, WARNING, ERROR. Default: "INFO".
About this package:
Get additional information about this package.
-h, --help shows this help and exits.
--version shows the version of this package and exits.
```
Thus, you can run the application against the files in a folder:
```
$ email-hunter -i examples
```
![Demo output](img/output.png)
# How does it suggest the detection of a potential threat?
Basically, the util parses the MSG files to search any property that contains a Universal Naming Convention (UNC) Path.
These paths are exploited in the wild as a result of how Microsoft Outlook deals with a special property in email appointments, `[PidLidReminderFileParameter`](https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxprops/b1d6170c-3824-4167-987e-8626cc396664).
Basically, this property lets Microsoft Outlook locate a sound file in a shared location to be reproduced whenever the appointment is reached.
Knowing that (and updating the [PidLidReminderOverride](https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxprops/d00d3723-be29-464d-adc9-25378ad8e1d5.) property too, an attacker can redirect the NTLM authentication process started automatically by Microsoft Outlook to their own infrastructure and have access to the NTLM hash of the victim, resulting in a potential Privilege Elevation issue.
The CVE was released on March 14th and PoC were soon proving that it could be exploited such as [this](https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/).
## Examples
In the [`./examples`](./examples) folder there are some email files which have been grabbed from VirusTotal matching different retrohunting Yara rules.
Note that some of the files can be tracked back to May 2022 (such as [`7fb7a2394e03cc4a9186237428a87b16f6bf1b66f2724aea1ec6a56904e5bfad`](https://www.virustotal.com/gui/file/7fb7a2394e03cc4a9186237428a87b16f6bf1b66f2724aea1ec6a56904e5bfad)).
Raw data
{
"_id": null,
"home_page": "",
"name": "email-hunter",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": "",
"keywords": "threat-hunting,dfir,forensics,email,cve-2023-23397",
"author": "",
"author_email": "F\u00e9lix Brezo <contacto@felixbrezo.com>",
"download_url": "https://files.pythonhosted.org/packages/b2/98/7577ab4d33b2379afff8bdf720bfe657cbff0d55051e8f112b5535bdb63c/email_hunter-0.1.0.tar.gz",
"platform": null,
"description": "# Enail Hunter\n\nCopyright (C) 2023 F. Brezo ([@febrezo](https://mastodon.social/@febrezo))\n\n[![License](https://img.shields.io/badge/license-GNU%20General%20Public%20License%20Version%203%20or%20Later-blue.svg)]()\n\n![Welcome screen](img/hi.png)\n\n## Description\n\nAnother package to analyse emails to find potential threats.\nIt has been originally developed as a PoC for fun to do some work on MSG parsing and identify potential indicators of compromise of [CVE-2023-23397](https://msrc.microsoft.com/update-guide/en-EN/vulnerability/CVE-2023-23397) in those files.\n\nNote that if you are looking for fast detection you might be interested on trying [specific Yara Rules](https://github.com/Neo23x0/signature-base/search?q=cve-2023-23397&type=commits).\n\n## License: GNU GPLv3+\n\n\nThis is free software, and you are welcome to redistribute it under certain conditions.\n\n\tThis program is free software: you can redistribute it and/or modify\n\tit under the terms of the GNU General Public License as published by\n\tthe Free Software Foundation, either version 3 of the License, or\n\t(at your option) any later version.\n\n\tThis program is distributed in the hope that it will be useful,\n\tbut WITHOUT ANY WARRANTY; without even the implied warranty of\n\tMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n\tGNU General Public License for more details.\n\n\tYou should have received a copy of the GNU General Public License\n\talong with this program. If not, see <http://www.gnu.org/licenses/>.\n\n\nFor more details on this issue, check the [COPYING](COPYING) file.\n\n## Installation\n\nThis package can be installed from [PyPI](https://pypi.org).\n\n```\n$ pip3 install email-hunter\n```\n\nFor local development, you can clone the repository and install it manually on your system:\n\n```\n$ git clone https://github.com/febrezo/email-hunter\n$ cd email-hunter\n$ pip3 install -e .\n```\n\n## Usage\n\nThe Python package will install a CLI tool to interact with locally downloaded files or folders.\n\n```\nusage: email-hunter -i LOCAL_PATH [LOCAL_PATH ...] [-o LOCAL_PATH] [-l LOG_LEVEL] [-h] [--version]\n\nLaunch Email Hunter CLI.\n\noptions:\n -i LOCAL_PATH [LOCAL_PATH ...], --input LOCAL_PATH [LOCAL_PATH ...]\n The files or folders to analyse. If the location is a folder, all the files in the folder will be processed. Note that several paths can be provided.\n -o LOCAL_PATH, --output LOCAL_PATH\n If present, an output file will be generated with the results. Note that thif the extension is \".csv\", the output will be created as a CSV file. Otherwise, the output will be a JSON\n file. If no value is provided, the output will be displayed as in the console.\n -l LOG_LEVEL, --log-level LOG_LEVEL\n It sets the log level for the application. Possible options: DEBUG, INFO, WARNING, ERROR. Default: \"INFO\".\n\nAbout this package:\n Get additional information about this package.\n\n -h, --help shows this help and exits.\n --version shows the version of this package and exits.\n\n```\n\nThus, you can run the application against the files in a folder:\n\n```\n$ email-hunter -i examples\n```\n\n![Demo output](img/output.png)\n\n# How does it suggest the detection of a potential threat?\n\nBasically, the util parses the MSG files to search any property that contains a Universal Naming Convention (UNC) Path. \nThese paths are exploited in the wild as a result of how Microsoft Outlook deals with a special property in email appointments, `[PidLidReminderFileParameter`](https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxprops/b1d6170c-3824-4167-987e-8626cc396664).\nBasically, this property lets Microsoft Outlook locate a sound file in a shared location to be reproduced whenever the appointment is reached.\nKnowing that (and updating the [PidLidReminderOverride](https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxprops/d00d3723-be29-464d-adc9-25378ad8e1d5.) property too, an attacker can redirect the NTLM authentication process started automatically by Microsoft Outlook to their own infrastructure and have access to the NTLM hash of the victim, resulting in a potential Privilege Elevation issue.\nThe CVE was released on March 14th and PoC were soon proving that it could be exploited such as [this](https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/).\n\n## Examples\n\nIn the [`./examples`](./examples) folder there are some email files which have been grabbed from VirusTotal matching different retrohunting Yara rules.\nNote that some of the files can be tracked back to May 2022 (such as [`7fb7a2394e03cc4a9186237428a87b16f6bf1b66f2724aea1ec6a56904e5bfad`](https://www.virustotal.com/gui/file/7fb7a2394e03cc4a9186237428a87b16f6bf1b66f2724aea1ec6a56904e5bfad)).\n",
"bugtrack_url": null,
"license": "GNU GPLv3+",
"summary": "Another package to analyse emails to find potential threats.",
"version": "0.1.0",
"split_keywords": [
"threat-hunting",
"dfir",
"forensics",
"email",
"cve-2023-23397"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "b2987577ab4d33b2379afff8bdf720bfe657cbff0d55051e8f112b5535bdb63c",
"md5": "ab5c1f9a9eac9a84e4268b6097705424",
"sha256": "09e23b041eac78567ad42a36de7e83bdd19576e48c4b64f429c88e0fcb16a14b"
},
"downloads": -1,
"filename": "email_hunter-0.1.0.tar.gz",
"has_sig": false,
"md5_digest": "ab5c1f9a9eac9a84e4268b6097705424",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7",
"size": 9511,
"upload_time": "2023-03-18T09:51:08",
"upload_time_iso_8601": "2023-03-18T09:51:08.340307Z",
"url": "https://files.pythonhosted.org/packages/b2/98/7577ab4d33b2379afff8bdf720bfe657cbff0d55051e8f112b5535bdb63c/email_hunter-0.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-03-18 09:51:08",
"github": false,
"gitlab": false,
"bitbucket": false,
"lcname": "email-hunter"
}