TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Introducing MailSniper: A Tool For Searching Every User’s Email for Sensitive Data

BHIS · 2016-09-25 · Read original ↗

ATT&CK techniques detected

14 predictions
T1114.002Remote Email Collection
93%
“introducing mailsniper : a tool for searching every user ’ s email for sensitive data introducing mailsniper : a tool for searching every user ’ s email for sensitive data beau bullock / / tl ; dr mailsniper is a penetration testing tool for searching through email in a microsoft…”
T1114.002Remote Email Collection
90%
“the search to a csv file. - mailsperuser – the total number of latest emails to search through in the mailbox. the default is set to the latest 100 emails in the inbox. - emaillist – a text file listing email addresses to search ( one per line ). demo video conclusion having the …”
T1098.002Additional Email Delegate Permissions
85%
“account from that group. in the few tests i have run, it appears that “ domain admins ” has the ability to grant this access to any account. so, if typical user hunting with doesn ’ t yield you an exchange admin account you can always resort to adding your own user to the group w…”
T1114.002Remote Email Collection
84%
“##ke - globalmailsearch then connects to exchange web services using the account with the impersonation role to gather a number of emails from each mailbox and ultimately searches through them for specific terms. by default the script searches for “ * password * ”, ” * creds * ”,…”
T1098.002Additional Email Delegate Permissions
83%
“##ation - user : username - of - impersonation - user having this role assigned to a user i controlled allowed for accessing other users ’ mailboxes. exchange management shell was required to make this change. this is installed on the exchange server itself. in order to perform t…”
T1114.002Remote Email Collection
82%
“) was not required. in doing research into exchange web services i discovered a few things that i found interesting that would ultimately lead to a second function being developed. my initial goal was to create a tool to search through every mailbox in a domain for specific terms…”
T1114.002Remote Email Collection
78%
“connection to exchange web services as “ current - username ” where, by default, 100 of the latest emails from each mailbox will be searched through for the terms “ * pass * ”, ” * creds * ”, ” * credentials * ” and output to a csv file called global - email - search. csv. the cs…”
T1114.002Remote Email Collection
59%
““ * pass * ”, ” * creds * ”, ” * credentials * ”. by default, the only option necessary for invoke - selfsearch is the - mailbox option. a full list of options that can be used are : - exchhostname – the hostname of the exchange server to connect to if autodiscover is failing. - …”
T1098.002Additional Email Delegate Permissions
58%
“email address entered, and automatically login with the administrative credentials passed on the command line. a ps - remoting session is then setup to the exchange server where the applicationimpersonation role is then granted to the “ current - username ” user. a list of all em…”
T1114.002Remote Email Collection
53%
“exchange2013 _ sp1. - outputcsv – outputs the results of the search to a csv file. - mailsperuser – the total number of latest emails to search through in the mailbox. the default is set to the latest 100 emails in the inbox. invoke - globalmailsearch invoke - globalmailsearch is…”
T1114.002Remote Email Collection
40%
“the hostname of the exchange server to connect to if autodiscover is failing. - autodiscoveremail – a valid email address that will be used to autodiscover where the exchange server is located. - adminusername – the username of an exchange administrator including the domain ( i. …”
T1087.003Email Account
37%
“exchange2013 _ sp1. - outputcsv – outputs the results of the search to a csv file. - mailsperuser – the total number of latest emails to search through in the mailbox. the default is set to the latest 100 emails in the inbox. invoke - globalmailsearch invoke - globalmailsearch is…”
T1087.003Email Account
37%
““ * pass * ”, ” * creds * ”, ” * credentials * ”. by default, the only option necessary for invoke - selfsearch is the - mailbox option. a full list of options that can be used are : - exchhostname – the hostname of the exchange server to connect to if autodiscover is failing. - …”
T1555Credentials from Password Stores
33%
“social security number * ” could return potential health care data. here is a real - world example where searching for the term “ * database * ” in emails revealed a conversation where a sysadmin was telling his team where the location of their internal keepass database was migra…”

Summary

Beau Bullock // TL;DR MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It […]

The post Introducing MailSniper: A Tool For Searching Every User’s Email for Sensitive Data appeared first on Black Hills Information Security, Inc..