1. Home
  2. Techniques
  3. Enterprise
  4. Email Collection
  5. Local Email Collection

Email Collection: Local Email Collection

ID Name
T1114.001 Local Email Collection
T1114.002 Remote Email Collection
T1114.003 Email Forwarding Rule

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.[1] IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.[2]

Angreifer können es auf die E-Mails von Benutzern auf lokalen Systemen abgesehen haben, um sensible Informationen zu sammeln. Dateien, die E-Mail-Daten enthalten, können vom lokalen System eines Benutzers erlangt werden, z. B. Outlook-Speicher oder Cache-Dateien.

Outlook speichert Daten lokal in Offline-Datendateien mit der Erweiterung .ost. Outlook 2010 und spätere Versionen unterstützen .ost-Dateien mit einer Grösse von bis zu 50 GB, während frühere Versionen von Outlook bis zu 20 GB unterstützen.(Zitat: Outlook Dateigrössen) IMAP-Konten in Outlook 2013 (und früher) und POP-Konten verwenden Outlook Data Files (.pst) im Gegensatz zu .ost, während IMAP-Konten in Outlook 2016 (und später) .ost-Dateien verwenden. Beide Arten von Outlook-Datendateien werden normalerweise unter C:\Benutzer\<Benutzername>\Dokumente\Outlook-Dateien oder C:\Benutzer\<Benutzername>\AppData\Local\Microsoft\Outlook gespeichert.(Zitat: Microsoft Outlook-Dateien)

Les adversaires peuvent cibler les courriers électroniques des utilisateurs sur les systèmes locaux pour collecter des informations sensibles. Les fichiers contenant des données de messagerie peuvent être acquis à partir du système local d'un utilisateur, comme les fichiers de stockage ou de cache d'Outlook.

Outlook stocke les données localement dans des fichiers de données hors ligne portant l'extension .ost. Outlook 2010 et les versions ultérieures prennent en charge les fichiers .ost jusqu'à 50 Go, tandis que les versions antérieures d'Outlook prennent en charge jusqu'à 20 Go.(Citation : Tailles des fichiers Outlook) Les comptes IMAP dans Outlook 2013 (et les versions antérieures) et les comptes POP utilisent les fichiers de données Outlook (.pst) par opposition aux fichiers .ost, tandis que les comptes IMAP dans Outlook 2016 (et les versions ultérieures) utilisent les fichiers .ost. Les deux types de fichiers de données Outlook sont généralement stockés dans C:\Users\<username>\Documents\Outlook Files ou C:\Users\<username>\AppData\Local\Microsoft\Outlook.(Citation : Microsoft Outlook Files)

Gli avversari possono prendere di mira le email degli utenti sui sistemi locali per raccogliere informazioni sensibili. I file contenenti dati di email possono essere acquisiti dal sistema locale di un utente, come i file di archiviazione o di cache di Outlook.

Outlook memorizza i dati localmente in file di dati offline con estensione .ost. Outlook 2010 e successivi supportano file .ost fino a 50GB, mentre le versioni precedenti di Outlook supportano fino a 20GB.(Citazione: Dimensioni dei file di Outlook) Gli account IMAP in Outlook 2013 (e precedenti) e gli account POP usano file di dati di Outlook (.pst) invece di .ost, mentre gli account IMAP in Outlook 2016 (e successivi) usano file .ost. Entrambi i tipi di file di dati di Outlook sono tipicamente archiviati in C:\Users\<username>\Documents\Outlook Files o C:\Users\<username>\AppData\Local\Microsoft\Outlook.(Citazione: Microsoft Outlook Files)

Login
ID: T1114.001
Sub-technique of:  T1114
Tactic: Collection
Platforms: Windows
Permissions Required: User
Version: 1.0
Created: 19 February 2020
Last Modified: 24 March 2020
Translations:  DE FR IT EN
Provided by LAYER 8

Procedure Examples

ID Name Description
G0006 APT1

APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.[3]
S0030 Carbanak

Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.[4]
G0114 Chimera

Chimera has harvested data from victim's e-mail including through execution of wmic /node: process call create "cmd /c copy c:\Users\\\backup.pst c:\windows\temp\backup.pst" copy "i:\\\My Documents\.pst"copy.[5]
S0050 CosmicDuke

CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.[6]
S0115 Crimson

Crimson contains a command to collect and exfiltrate emails from Outlook.[7]
S0367 Emotet

Emotet has been observed leveraging a module that scrapes email data from Outlook.[8]
S0363 Empire

Empire has the ability to collect emails on a target system.[9]
S0526 KGH_SPY

KGH_SPY can harvest data from mail clients.[10]
G0059 Magic Hound

Magic Hound has collected .PST archives.[11]
S0594 Out1

Out1 can parse e-mails on a target machine.[12]
S0192 Pupy

Pupy can interact with a victim’s Outlook session and look through folders and emails.[13]
S0650 QakBot

QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.[14][14][15][16]
S0226 Smoke Loader

Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).[17]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access

Monitor processes and command-line arguments for actions that could be taken to gather local email files. Monitor for unusual processes accessing local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Überwachen Sie Prozesse und Befehlszeilenargumente auf Aktionen, die zum Sammeln lokaler E-Mail-Dateien genutzt werden könnten. Überwachen Sie auf ungewöhnliche Prozesse, die auf lokale E-Mail-Dateien zugreifen. Fernzugriffstools mit integrierten Funktionen können direkt mit der Windows-API interagieren, um Informationen zu sammeln. Informationen können auch über Windows-Systemverwaltungstools wie Windows Management Instrumentation und PowerShell erfasst werden.

Surveillez les processus et les arguments de la ligne de commande pour détecter les actions qui pourraient être prises pour rassembler les fichiers de messagerie locaux. Surveillez les processus inhabituels accédant aux fichiers de messagerie locaux. Les outils d'accès à distance dotés de fonctions intégrées peuvent interagir directement avec l'API Windows pour recueillir des informations. Les informations peuvent également être obtenues par le biais d'outils de gestion du système Windows tels que [Windows Management Instrumentation] (/techniques/T1047) et [PowerShell] (/techniques/T1059/001).

Controlli i processi e gli argomenti della linea di comando per le azioni che potrebbero essere intraprese per raccogliere i file locali di posta elettronica. Monitorare i processi insoliti che accedono ai file locali di posta elettronica. Gli strumenti di accesso remoto con funzioni integrate possono interagire direttamente con l'API di Windows per raccogliere informazioni. Le informazioni possono anche essere acquisite attraverso strumenti di gestione del sistema Windows come Windows Management Instrumentation e PowerShell.

References

  1. N. O'Bryan. (2018, May 30). Managing Outlook Cached Mode and OST File Sizes. Retrieved February 19, 2020.
  2. Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and .ost). Retrieved February 19, 2020.
  3. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  4. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  5. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  6. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  7. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  8. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
  9. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  1. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  2. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  3. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  4. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  5. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  6. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
  7. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  8. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.