ID | Name |
---|---|
T1087.001 | Local Account |
T1087.002 | Domain Account |
T1087.003 | Email Account |
T1087.004 | Cloud Account |
Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).[1]
In on-premises Exchange and Exchange Online, theGet-GlobalAddressList
PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.[2][3]
In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.[4]
ID | Name | Description |
---|---|---|
S0093 | Backdoor.Oldrea |
Backdoor.Oldrea collects address book information from Outlook.[5] |
S0635 | BoomBox |
BoomBox can execute an LDAP query to discover e-mail accounts for domain users.[6] |
C0027 | C0027 |
During C0027, Scattered Spider accessed Azure AD to identify email addresses.[7] |
S0367 | Emotet |
Emotet has been observed leveraging a module that can scrape email addresses from Outlook.[8][9][10] |
S0531 | Grandoreiro |
Grandoreiro can parse Outlook .pst files to extract e-mail addresses.[11] |
S0681 | Lizar |
Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.[12] |
G0059 | Magic Hound |
Magic Hound has used Powershell to discover email accounts.[13] |
S0413 | MailSniper |
MailSniper can be used to obtain account names from Exchange and Office 365 using the |
S0358 | Ruler |
Ruler can be used to enumerate Exchange users and dump the GAL.[14] |
G0034 | Sandworm Team |
Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.[15] |
G0092 | TA505 |
TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.[16] |
S0266 | TrickBot |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor for execution of commands and arguments associated with enumeration or information gathering of email addresses and accounts such as |
DS0009 | Process | Process Creation |
Monitor for newly executed processes, such as Windows Management Instrumentation and PowerShell , with arguments that can be used to enumerate email addresses and accounts. |