Skip to content

Supported Techniques

Jump to bottom
mvelazco edited this page Apr 8, 2024 · 17 revisions

read_email

  • Supported Methods: Graph, EWS
  • Description: Simulates the action of reading emails from a specified mailbox, demonstrating data access and potential exfiltration capabilities.
  • Execution Context: Operates within the access scope of the authenticated user's mailbox with user credentials; with application credentials and the necessary permissions, it extends to reading emails from any mailbox in the organization.
  • Parameters:
    • auth_method: Authentication method used, with values indicating the specific OAuth flow.
    • access_method: Specifies the API method used (Graph API or EWS).
    • mailbox: Target email address from which emails will be read.
    • limit: Maximum number of emails to be read.

search_mailbox

  • Supported Methods: Graph
  • Description: Simulates an adversary conducting targeted searches within a mailbox to uncover sensitive information.
  • Execution Context: This technique operates exclusively within the scope of the authenticated user's mailbox based on provided user credentials. It does not support application authentication.
  • Parameters:
    • auth_method: Authentication method used, with values indicating the specific OAuth flow.
    • access_method: Specifies the API method used (Graph API).
    • keyword: Keyword for the search.
    • mailbox: Target email address from which emails will be read.
    • limit: Optional parameter to limit the number of search results returned.

search_onedrive

  • Supported Methods: Graph
  • Description: Simulates an adversary conducting targeted searches within OneDrive and Sharepoint.
  • Execution Context: This technique operates exclusively within the scope of the authenticated user's OneDrive based on provided user credentials. It does not support application authentication.
  • Parameters:
    • auth_method: Authentication method used, with values indicating the specific OAuth flow.
    • access_method: "graph" indicates the use of Microsoft Graph API for this simulation.
    • keyword: Keyword for the search.
    • limit: Optional parameter to limit the number of search results returned.

create_rule

  • Supported Methods: Graph, EWS, REST
  • Description: Creates an email rule to automatically forward emails containing specified keywords, simulating discreet information exfiltration.
  • Execution Context: With user credentials, allows for creating email rules within the user's own mailbox; when using application credentials with adequate permissions, rules can be established across any user mailboxes organization-wide.
  • Parameters:
    • auth_method: Authentication method used, with values indicating the specific OAuth flow.
    • access_method: Method used for rule creation (Graph, EWS, or REST).
    • mailbox: Email address on which the rule will be created.
    • rule_name: Name of the created rule.
    • forward_to: Email address to which matching emails will be forwarded.
    • body_contains: Keyword that triggers the rule.

enable_email_forwarding

  • Supported Methods: REST
  • Description: Enables automatic forwarding of all emails from a specified mailbox, simulating unauthorized email traffic diversion.
  • Execution Context: Can enable forwarding for the authenticated user's own mailbox with user credentials; with application credentials granted the right permissions, forwarding can be activated for any mailbox.
  • Parameters:
    • auth_method: Authentication method used, with values indicating the specific OAuth flow.
    • access_method: This technique uses REST.
    • mailbox: Mailbox from which emails will be forwarded.
    • forward_to: Destination email address for forwarded emails.

add_folder_permission

  • Supported Methods: REST, EWS
  • Description: Grants a user permission to access a specific folder in another user's mailbox, simulating unauthorized access to sensitive information.
  • Execution Context: Grants folder access rights within the user's mailbox using user credentials; application credentials with proper permissions can modify folder permissions across mailboxes organization-wide.
  • Parameters:
    • auth_method: Authentication method used, with values indicating the specific OAuth flow.
    • access_method: Specifies REST or EWS.
    • mailbox: Mailbox containing the folder to which permissions will be added.
    • folder: Folder for which permissions are granted.
    • grantee: User being granted folder access.
    • access_rights: Level of access granted (e.g., Owner, Author).

add_mailbox_delegation

  • Supported Methods: REST
  • Description: Grants a user full access to another user's mailbox, critical for simulating compromised account scenarios.
  • Execution Context: Allows mailbox delegation for the authenticated user's mailbox with user credentials; application credentials with sufficient permissions enable delegation setup for any mailbox in the organization.
  • Parameters:
    • auth_method: Authentication method used, with values indicating the specific OAuth flow.
    • access_method: Uses REST.
    • mailbox: Mailbox to which access will be delegated.
    • grantee: User granted access to the mailbox.
    • access_rights: Type of access granted, "FullAccess".

run_compliance_search

  • Supported Methods: REST
  • Description: Executes a compliance search for specified keywords, simulating the search for sensitive or regulated information.
  • Execution Context: Requires privileges from either an application with the appropriate permissions or a high-privileged user account with administrative Exchange roles.
  • Parameters:
    • auth_method: Authentication method used, with values indicating the specific OAuth flow.
    • access_method: Uses REST.
    • keyword: Keyword for the search.
    • name: Name of the compliance search.

create_mailflow_rule

  • Supported Methods: REST
  • Description: Establishes a mail flow rule to forward emails based on defined criteria, simulating potential malicious redirection.
  • Execution Context: Can only be executed with sufficient privileges, accessible to applications granted the necessary permissions or users endowed with high-level administrative Exchange roles.
  • Parameters:
    • auth_method: Authentication method used, with values indicating the specific OAuth flow.
    • access_method: Uses REST.
    • forward_to: Email address for forwarding.
    • name: Name of the mail flow rule.
Clone this wiki locally