InfoSec LAB

Outdated_check_mail

Created: 2 min read

\check_mail

A single none default scheduled task, \check_mail, has been identified

ps c:\Users\btables> cmd /c schtasks /QUERY /TN \check_mail /V /FO LIST                     
 
folder: \
hostname:                             CLIENT
taskname:                             \check_mail
next run time:                        N/A
status:                               Running
logon mode:                           Interactive only
last run time:                        1/5/2024 11:38:12 AM
last result:                          267009
author:                               OUTDATED\btables
task to run:                          powershell.exe -file c:\users\btables\check_mail.ps1
start in:                             N/A
comment:                              N/A
scheduled task state:                 Enabled
idle time:                            Disabled
power management:                     Stop On Battery Mode, No Start On Batteries
run as user:                          btables
delete task if not rescheduled:       Disabled
stop task if runs x hours and x mins: 72:00:00
schedule:                             Scheduling data is not available in this format.
schedule type:                        At logon time
start time:                           N/A
start date:                           N/A
end date:                             N/A
days:                                 N/A
months:                               N/A
repeat: Every:                        N/A
repeat: Until: Time:                  N/A
repeat: Until: Duration:              N/A
repeat: Stop If Still Running:        N/A

it’s executing a powershell script at c:\users\btables\check_mail.ps1

c:\users\btables\check_mail.ps1

PS C:\Users\btables> cat c:\users\btables\check_mail.ps1
Import-Module Mailozaurr
$user = 'btables@outdated.htb'
$pass = 'GHKKb7GEHcccdCT8tQV2QwL3'
$regex = [Regex]::new('(http(s)?(:\/\/))?((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|[\w.]\.htb)(\/[^\s,]+)?)')
$already_seen = @()
$client = connect-imap -server 'mail.outdated.htb' -password $pass -username $user -port 143 -options auto
while ($true) {
    $msgs = Get-IMAPFolder -client $client -verbose
    foreach ($msg in $msgs.Messages) {
        if (-not ($already_seen -contains $msg.MessageId)) {
            $already_seen = $already_seen + $msg.MessageId
            $match = $regex.Matches($msg.TextBody.TrimEnd())
            iwr $match.Value
        }
    }
    if ($already_seen.count -ge 60) {$already_seen = @()}
    #Disconnect-IMAP -Client $client
    sleep 15
    if (get-process -name msdt) {stop-process -name msdt -force}
    sleep 15
}

The PowerShell script utilizes the Mailozaurr module to connect to an IMAP server at mail.outdated.htb:143 as the btables user . It continuously retrieves messages from the server, extracts URLs from unread messages, and makes web requests to the identified URLs. The script maintains a list of seen message IDs to avoid duplicate processing and resets the list after reaching a count of 60. Additionally, the script includes intervals for sleep and checks for the existence of a process named “msdt,” stopping it if present.

This was the “automated” PowerShell script that I speculated earlier

The credential appears to be unique to the IMAP server, and has no relation to both domain and client.outdated.htb host

Interactive Graph View

Backlinks