Testing: Exfiltration

You did a lot of stuff in the environment. Now its time to take what we are here for - SENSITIVE DATA!

The below instructions (even though you dont need them anymore) will guide you on setting up a mail forwarding rule so you can persistently collect emails from a users mailbox.

Testing: Defense Evasion

In this section you will do the final act of stealing data from the environment. SWEET SENSITIVE DATA!

Execution path for this section: Exchange -> (3) Setup Email Forwarding

The below instructions (even though you dont need them anymore) will guide you on setting up a mail forwarding rule so you can persistently exfiltrate data from a users mailbox.

Step 1: Select Exchange Module

In Attack Arsenal menu, select the Exchange module by typing “exchnage” and hitting enter.

Note: Module names are case-insensitive. So you dont have to type them exactly as they appear in the menu

Step 2: Select Mail Fowarding Sub-Module

The sub-modules menu lists specific actions you can execute using MAAD-AF. In this case the different sub-module options list actions that users can take against Exchange Online, for example setting up mail forwarding for exfiltration or email deletion rules to hide artifacts.

For this section of the lab you want to setup email forwaring on a target mailbox in the environment.

Select option 3 by typing “3” and hitting enter. exfiltration_start

Step 3: Setup Mail Forwarding

Follow the on-screen prompts in sub-module to setup mail forwarding.

  • Prompt Enter a mailbox address to setup mail forwarding from : Here leave blank and press enter to trigger a mailbox reconnaissance which will list out accessible mailboxes in the environment.

To make testing easy, MAAD-AF provides functionality to make it easy to find information for execution of attack techniques. In this case, entering blank mailbox address triggers a automatic reconnaissance in the environment to find mailboxes accessible to your current user on which a mail forwarding rule can potentially be deployed. MAAD-AF allows you to do this in several input fields across modules such as finding users / mailboxes / applications / roles / teams / eDiscover cases & searches / etc. (super amazing right?). To trigger a recon for an input that you are not sure of, simply leave it blank and press enter. 

MAAD-AF also validates the input wherever possible. For example, MAAD-AF will check if the mailbox you entered is valid or accessible to the current user before proceeding.

  • Once the recon is completed, MAAD-AF lists out found mailboxes and asks the same prompt again.

  • Prompt Enter a mailbox address to setup mail forwarding from : Enter a mailbox address in format user@demolam.com from the list of mailboxes. (Choose any mailbox to target)

  • Prompt Enter a target email to forward the mailbox to : Enter any external email address to forward the emails to. Be creative with your external user and domain (the external domain and user dont have to really exist in this case, so lets have some fun with it). Here’s what I would enter: hackerlord@hahahackedyou.com.

  • Watch MAAD-AF create mail forwaring config with the parameters you provided and deploy it in Exchange Online.

  • Upon completion, a summary of the newly deployed configuration is displayed. exfiltration_process exfiltration_process_2

  • Prompt Would you like to undo modifications and remove mailbox forwarding : Answer yes or no based on whatever serves your curiousity.
    exfiltration_undo

Checkpoint: 5

Congratulations on setting up data exfiltration. The security team is really gonna have a tough day at work - is something we would have said if it wasn’t for Vectra. Don’t bother collecting screenshot - Vectra will know if you successfully managed to setup exfiltration ;)