Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Учетные записи эл. почты
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Учетные записи эл. почты
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Account Discovery:  Учетные записи эл. почты

ID Название
.001 Локальная учетная запись
.002 Доменная учетная запись
.003 Учетные записи эл. почты
.004 Облачная учетная запись

Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists) In on-premises Exchange and Exchange Online, the Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016) In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)

ID: T1087.003
Относится к технике:  T1087
Тактика(-и): Discovery
Платформы: Office Suite, Windows
Источники данных: Command: Command Execution, Process: Process Creation
Версия: 1.2
Дата создания: 21 Feb 2020
Последнее изменение: 17 Oct 2024

Примеры процедур
Название Описание
TA505

TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.(Citation: Trend Micro TA505 June 2019)
Magic Hound

Magic Hound has used Powershell to discover email accounts.(Citation: DFIR Report APT35 ProxyShell March 2022)
Grandoreiro

Grandoreiro can parse Outlook .pst files to extract e-mail addresses.(Citation: ESET Grandoreiro April 2020)
RedCurl

RedCurl has collected information about email accounts.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)
Sandworm Team

Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.(Citation: ESET Telebots July 2017)

During C0027, Scattered Spider accessed Azure AD to identify email addresses.(Citation: Crowdstrike TELCO BPO Campaign December 2022)
Backdoor.Oldrea

Backdoor.Oldrea collects address book information from Outlook.(Citation: Symantec Dragonfly)
TrickBot

TrickBot collects email addresses from Outlook.(Citation: Trend Micro Trickbot Nov 2018)
Lizar

Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.(Citation: BiZone Lizar May 2021)

Ruler

Ruler can be used to enumerate Exchange users and dump the GAL.(Citation: SensePost Ruler GitHub)
MailSniper

MailSniper can be used to obtain account names from Exchange and Office 365 using the Get-GlobalAddressList cmdlet.(Citation: Black Hills Attacking Exchange MailSniper, 2016)
Emotet

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.(Citation: CIS Emotet Dec 2018)(Citation: IBM IcedID November 2017)(Citation: Binary Defense Emotes Wi-Fi Spreader)

During HomeLand Justice, threat actors used compromised Exchange accounts to search mailboxes for administrator accounts.(Citation: CISA Iran Albanian Attacks September 2022)
BoomBox

BoomBox can execute an LDAP query to discover e-mail accounts for domain users.(Citation: MSTIC Nobelium Toolset May 2021)

Обнаружение

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Ссылки

  1. Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6, 2019.
  2. Microsoft. (2020, February 7). Address lists in Exchange Server. Retrieved March 26, 2020.
  3. Google. (n.d.). Retrieved March 16, 2021.
  4. Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper. Retrieved October 6, 2019.
  5. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  6. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  7. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  8. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  9. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  10. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
  11. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  12. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  13. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  14. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  15. SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019.
  16. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  17. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
  18. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  19. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  20. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.