-
Notifications
You must be signed in to change notification settings - Fork 13
Supported Techniques
mvelazco edited this page Apr 7, 2024
·
22 revisions
- Supported Methods: Graph, EWS
- Description: Simulates the action of reading emails from a specified mailbox, demonstrating data access and potential exfiltration capabilities.
- Execution Context: Operates within the access scope of the authenticated user's mailbox with user credentials; with application credentials and the necessary permissions, it extends to reading emails from any mailbox in the organization.
-
Parameters:
-
auth_type
: Authentication type used, with values ranging from 1 to 3, each representing a different authentication mechanism. -
method
: Specifies the API method used (Graph API or EWS). -
mailbox
: Target email address from which emails will be read. -
keyword
: Keyword for the search. -
limit
: Maximum number of emails to be read.
-
- Supported Methods: Graph
- Description: Simulates an adversary conducting targeted searches within a mailbox to uncover sensitive information.
- Execution Context: This technique operates exclusively within the scope of the authenticated user's mailbox based on provided user credentials. It does not support application authentication.
-
Parameters:
-
auth_type
: Authentication type used, with values ranging from 1 to 3, each representing a different authentication mechanism. -
method
: Specifies the API method used (Graph API or EWS). -
mailbox
: Target email address from which emails will be read. -
limit
: Maximum number of emails to be read.
-
- Supported Methods: Graph, EWS, REST
- Description: Creates an email rule to automatically forward emails containing specified keywords, simulating discreet information exfiltration.
- Execution Context: With user credentials, allows for creating email rules within the user's own mailbox; when using application credentials with adequate permissions, rules can be established across any user mailboxes organization-wide.
-
Parameters:
-
auth_type
: Authentication type used. -
method
: Method used for rule creation (Graph, EWS, or REST). -
mailbox
: Email address on which the rule will be created. -
rule_name
: Name of the created rule. -
forward_to
: Email address to which matching emails will be forwarded. -
body_contains
: Keyword that triggers the rule.
-
- Supported Methods: REST
- Description: Enables automatic forwarding of all emails from a specified mailbox, simulating unauthorized email traffic diversion.
- Execution Context: Can enable forwarding for the authenticated user's own mailbox with user credentials; with application credentials granted the right permissions, forwarding can be activated for any mailbox.
-
Parameters:
-
auth_type
: Authentication type used. -
method
: This technique uses REST. -
mailbox
: Mailbox from which emails will be forwarded. -
forward_to
: Destination email address for forwarded emails.
-
- Supported Methods: REST, EWS
- Description: Grants a user permission to access a specific folder in another user's mailbox, simulating unauthorized access to sensitive information.
- Execution Context: Grants folder access rights within the user's mailbox using user credentials; application credentials with proper permissions can modify folder permissions across mailboxes organization-wide.
-
Parameters:
-
auth_type
: Authentication type used. -
method
: Specifies REST or EWS. -
mailbox
: Mailbox containing the folder to which permissions will be added. -
folder
: Folder for which permissions are granted. -
grantee
: User being granted folder access. -
access_rights
: Level of access granted (e.g., Owner, Author).
-
- Supported Methods: REST
- Description: Grants a user full access to another user's mailbox, critical for simulating compromised account scenarios.
- Execution Context: Allows mailbox delegation for the authenticated user's mailbox with user credentials; application credentials with sufficient permissions enable delegation setup for any mailbox in the organization.
-
Parameters:
-
auth_type
: Authentication type used. -
method
: Uses REST. -
mailbox
: Mailbox to which access will be delegated. -
grantee
: User granted access to the mailbox. -
access_rights
: Type of access granted, "FullAccess".
-
- Supported Methods: REST
- Description: Executes a compliance search for specified keywords, simulating the search for sensitive or regulated information.
- Execution Context: Requires privileges from either an application with the appropriate permissions or a high-privileged user account with administrative Exchange roles.
-
Parameters:
-
auth_type
: Authentication type used. -
method
: Uses REST. -
keyword
: Keyword for the search. -
name
: Name of the compliance search.
-
- Supported Methods: REST
- Description: Establishes a mail flow rule to forward emails based on defined criteria, simulating potential malicious redirection.
- Execution Context: Can only be executed with sufficient privileges, accessible to applications granted the necessary permissions or users endowed with high-level administrative Exchange roles.
-
Parameters:
-
auth_type
: Authentication type used. -
method
: Uses REST. -
forward_to
: Email address for forwarding. -
name
: Name of the mail flow rule.
-
Technique | Graph | EWS | REST |
---|---|---|---|
read_email | X | X | |
search_mailbox | X | ||
create_rule | X | X | X |
enable_email_forwarding | X | ||
add_folder_permission | X | X | |
add_mailbox_delegation | X | ||
run_compliance_search | X | ||
create_mailflow | X |