T1087.003: Email Account
Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).
In on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.
In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
microsoft_exchange: PT-CR-658: Exchange_Get_Global_Address_List: A user collected email addresses from an Exchange global address list active_directory_attacks: PT-CR-2550: LDAP_Discovery: A user executed a suspicious LDAP request that may indicate reconnaissance in the domain
Detection
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes, such as Windows Management Instrumentation and PowerShell , with arguments that can be used to enumerate email addresses and accounts. |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor for execution of commands and arguments associated with enumeration or information gathering of email addresses and accounts such as |
|---|