Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Учетные записи эл. почты
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Учетные записи эл. почты
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Account Discovery:  Учетные записи эл. почты

ID Название
.001 Локальная учетная запись
.002 Доменная учетная запись
.003 Учетные записи эл. почты
.004 Облачная учетная запись

Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists) In on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016) In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)

ID: T1087.003
Относится к технике:  T1087
Тактика(-и): Discovery
Платформы: Google Workspace, Office 365, Windows
Требуемые разрешения: User
Источники данных: Command: Command Execution, Process: Process Creation
Версия: 1.1
Дата создания: 21 Feb 2020
Последнее изменение: 31 Mar 2021

Примеры процедур
Название Описание
TA505

TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.(Citation: Trend Micro TA505 June 2019)
Magic Hound

Magic Hound has used Powershell to discover email accounts.(Citation: DFIR Report APT35 ProxyShell March 2022)
Grandoreiro

Grandoreiro can parse Outlook .pst files to extract e-mail addresses.(Citation: ESET Grandoreiro April 2020)
Sandworm Team

Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.(Citation: ESET Telebots July 2017)

Backdoor.Oldrea

Backdoor.Oldrea collects address book information from Outlook.(Citation: Symantec Dragonfly)
TrickBot

TrickBot collects email addresses from Outlook.(Citation: Trend Micro Trickbot Nov 2018)
Lizar

Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.(Citation: BiZone Lizar May 2021)

Ruler

Ruler can be used to enumerate Exchange users and dump the GAL.(Citation: SensePost Ruler GitHub)
MailSniper

MailSniper can be used to obtain account names from Exchange and Office 365 using the Get-GlobalAddressList cmdlet.(Citation: Black Hills Attacking Exchange MailSniper, 2016)
Emotet

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.(Citation: CIS Emotet Dec 2018)(Citation: IBM IcedID November 2017)
BoomBox

BoomBox can execute an LDAP query to discover e-mail accounts for domain users.(Citation: MSTIC Nobelium Toolset May 2021)

Обнаружение

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Ссылки

  1. Google. (n.d.). Retrieved March 16, 2021.
  2. Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper. Retrieved October 6, 2019.
  3. Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6, 2019.
  4. Microsoft. (2020, February 7). Address lists in Exchange Server. Retrieved March 26, 2020.
  5. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  6. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  7. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  8. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
  9. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  10. SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019.
  11. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  12. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  13. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  14. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  15. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.