Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Сбор эл. почты (локально)
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Сбор эл. почты (локально)
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Email Collection:  Сбор эл. почты (локально)

ID Название
.001 Сбор эл. почты (локально)
.002 Сбор эл. почты (удаленно)
.003 Правила пересылки эл. почты

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\Users\\Documents\Outlook Files` or `C:\Users\\AppData\Local\Microsoft\Outlook`.(Citation: Microsoft Outlook Files)

ID: T1114.001
Относится к технике:  T1114
Тактика(-и): Collection
Платформы: Windows
Источники данных: Command: Command Execution, File: File Access
Версия: 1.1
Дата создания: 19 Feb 2020
Последнее изменение: 25 Apr 2025

Примеры процедур
Название Описание
Smoke Loader

Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).(Citation: Talos Smoke Loader July 2018)
CosmicDuke

CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.(Citation: F-Secure Cosmicduke)
Emotet

Emotet has been observed leveraging a module that scrapes email data from Outlook.(Citation: CIS Emotet Dec 2018)
Crimson

Crimson contains a command to collect and exfiltrate emails from Outlook.(Citation: Proofpoint Operation Transparent Tribe March 2016)
Empire

Empire has the ability to collect emails on a target system.(Citation: Github PowerShell Empire)
Carbanak

Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.(Citation: FireEye CARBANAK June 2017)
Out1

Out1 can parse e-mails on a target machine.(Citation: Trend Micro Muddy Water March 2021)
KGH_SPY

KGH_SPY can harvest data from mail clients.(Citation: Cybereason Kimsuky November 2020)
LunarMail

LunarMail can capture the recipients of sent email messages from compromised accounts.(Citation: ESET Turla Lunar toolset May 2024)
Pupy

Pupy can interact with a victim’s Outlook session and look through folders and emails.(Citation: GitHub Pupy)
QakBot

QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Kaspersky QakBot September 2021)
APT1

APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.(Citation: Mandiant APT1)
Chimera

Chimera has harvested data from victim's e-mail including through execution of wmic /node: process call create "cmd /c copy c:\Users\\\backup.pst c:\windows\temp\backup.pst" copy "i:\\\My Documents\.pst" copy.(Citation: NCC Group Chimera January 2021)
Magic Hound

Magic Hound has collected .PST archives.(Citation: FireEye APT35 2018)
RedCurl

RedCurl has collected emails to use in future phishing campaigns.(Citation: group-ib_redcurl1)
Winter Vivern

Winter Vivern delivered malicious JavaScript payloads capable of exfiltrating email messages from exploited email servers.(Citation: ESET WinterVivern 2023)
Sea Turtle

Sea Turtle collected email archives from victim environments.(Citation: Hunt Sea Turtle 2024)

Контрмеры
Контрмера Описание
Out-of-Band Communications Channel

Establish secure out-of-band communication channels to ensure the continuity of critical communications during security incidents, data integrity attacks, or in-network communication failures. Out-of-band communication refers to using an alternative, separate communication path that is not dependent on the potentially compromised primary network infrastructure. This method can include secure messaging apps, encrypted phone lines, satellite communications, or dedicated emergency communication systems. Leveraging these alternative channels reduces the risk of adversaries intercepting, disrupting, or tampering with sensitive communications and helps coordinate an effective incident response.(Citation: TrustedSec OOB Communications)(Citation: NIST Special Publication 800-53 Revision 5)
Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures: Encrypt Data at Rest: - Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices. - Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives. Encrypt Data in Transit: - Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks. - Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption. Encrypt Backups: - Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access. - Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud. Encrypt Application Secrets: - Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults. - Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets. Database Encryption: - Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems. - Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

Обнаружение

Monitor processes and command-line arguments for actions that could be taken to gather local email files. Monitor for unusual processes accessing local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Ссылки

  1. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024.
  2. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  3. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  4. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  5. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  6. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved November 17, 2024.
  7. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  8. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  9. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  10. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  11. N. O'Bryan. (2018, May 30). Managing Outlook Cached Mode and OST File Sizes. Retrieved February 19, 2020.
  12. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  13. Matthieu Faou. (2023, October 25). Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers. Retrieved July 29, 2024.
  14. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  15. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024.
  16. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  17. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  18. Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and .ost). Retrieved February 19, 2020.
  19. Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024.
  20. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  21. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
  22. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  23. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.