a modular C2 framework that weaponizes Outlook calendar invites (.ics) to deliver covert command and control on low‑privileged, air‑gapped systems.
pre-req: microsoft outlook installed
- deploy the implant.ps1 to the target system
- send a calendar invite to the target users mail adress. make sure the subject of the calendar invite follows following pattern:
invite: "code here". notice the word invite, it is used as a regex trigger to execute anything after it. put your payload in between the quotation marks. - once the target user receives your invite, its outlook calendar will be automatically synced, the implant will then grab the payload and then execute it. exec might be optimized, currently it does not operate very stealthy here.
- as soon as payload has been executed, the implant will grab its stdout and put it back into the invite's message body. the advantage of using this exfil mechanism is that data is not really exfilled but just visible in the invite by the c2 operator too.
i've warned you. dont use this for illegal stuff, else you will be fully liable. i've built this to test and research covert red-teaming in enterprise networks.