| ID | Name |
|---|---|
| T1087.001 | Local Account |
| T1087.002 | Domain Account |
| T1087.003 | Email Account |
| T1087.004 | Cloud Account |
Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).[1]
In on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.[2][3]
In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.[4]
| ID | Name | Description |
|---|---|---|
| S0093 | Backdoor.Oldrea |
Backdoor.Oldrea collects address book information from Outlook.[5] |
| S0635 | BoomBox |
BoomBox can execute an LDAP query to discover e-mail accounts for domain users.[6] |
| S0367 | Emotet |
Emotet has been observed leveraging a module that can scrape email addresses from Outlook.[7][8] |
| S0531 | Grandoreiro |
Grandoreiro can parse Outlook .pst files to extract e-mail addresses.[9] |
| S0413 | MailSniper |
MailSniper can be used to obtain account names from Exchange and Office 365 using the |
| S0358 | Ruler |
Ruler can be used to enumerate Exchange users and dump the GAL.[10] |
| G0034 | Sandworm Team |
Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.[11] |
| G0092 | TA505 |
TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.[12] |
| S0266 | TrickBot |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0002 | User Account | User Account Metadata |
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.