www.blackhillsinfosec.com Open in urlscan Pro
2606:4700:10::6816:933 Public Scan

Back to summary

URL:
https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/
Submission: On September 04 via api (September 4th 2021, 3:22:54 pm UTC) from US

Form analysis
4 forms found in the DOM

POST #

<form action="#" method="post" accept-charset="utf-8" id="subscribe-blog-459">
  <div class="jetpack-subscribe-count">
    <p> Join 3,811 other subscribers </p>
  </div>
  <p id="subscribe-email">
    <label id="jetpack-subscribe-label" class="screen-reader-text" for="subscribe-field-459"> Email Address </label>
    <input type="email" name="email" required="required" value="" id="subscribe-field-459" placeholder="Email Address">
  </p>
  <p id="subscribe-submit">
    <input type="hidden" name="action" value="subscribe">
    <input type="hidden" name="source" value="https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/">
    <input type="hidden" name="sub-type" value="widget">
    <input type="hidden" name="redirect_fragment" value="459">
    <button type="submit" class="undefined" style="margin-left: 0px;" name="jetpack_subscriptions_widget"> Subscribe </button>
  </p>
</form>

GET https://www.blackhillsinfosec.com/

<form method="get" id="searchform" action="https://www.blackhillsinfosec.com/">
  <i class="icon-search"></i>
  <input type="text" name="s" id="s" title="Search" value="">
</form>

POST #

<form action="#" method="post" accept-charset="utf-8" id="subscribe-blog-blog_subscription-2">
  <div id="subscribe-text">
    <p>Don't get left in the dark! Enter your email address and every time a post goes live you'll get an instant notification! We'll also add you to our webcast list, so you won't miss our occasional emails about upcoming events! (We promise, we're
      not spammy!)</p>
  </div>
  <p id="subscribe-email">
    <label id="jetpack-subscribe-label" class="screen-reader-text" for="subscribe-field-blog_subscription-2"> Email Address </label>
    <input type="email" name="email" required="required" value="" id="subscribe-field-blog_subscription-2" placeholder="Email Address">
  </p>
  <p id="subscribe-submit">
    <input type="hidden" name="action" value="subscribe">
    <input type="hidden" name="source" value="https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/">
    <input type="hidden" name="sub-type" value="widget">
    <input type="hidden" name="redirect_fragment" value="blog_subscription-2">
    <button type="submit" name="jetpack_subscriptions_widget"> Subscribe </button>
  </p>
</form>

GET https://www.blackhillsinfosec.com/

<form method="get" id="searchform" action="https://www.blackhillsinfosec.com/">
  <i class="icon-search"></i>
  <input type="text" name="s" id="s" title="Search" value="">
</form>

Text Content

Now scheduling Q1 - 2022 | Contact Us!
Penetration testing for Fortune 50 companies since 2008.
RSS

* About Us
* Testers
* Admin
* SOC Team
* Partners
* Interns
* Contact
* Contact Us
* Email Sign-Up
* Services
* Active SOC
* Blockchain Security
* Blue Team Services
* Cyber Range
* Hunt Team (HTOC)
* Penetration Testing
* Projects/Tools
* All Tools
* RITA
* Backdoors & Breaches
* Books
* Learn
* Blog
* Webcasts
* Podcasts
* Training
* PROMPT# Zine
* Community
* Discord
* LinkedIn
* Spearphish General Store
* Twitter
* YouTube

25 Sep 2016

External/Internal, Red Team hunting, Pentesting, pillaging, red teaming,
sensitive info, yolo

INTRODUCING MAILSNIPER: A TOOL FOR SEARCHING EVERY USER’S EMAIL FOR SENSITIVE
DATA

Beau Bullock //

TL;DR

MailSniper is a penetration testing tool for searching through email in a
Microsoft Exchange environment for specific terms (passwords, insider intel,
network architecture information, etc.). It can be used as a non-administrative
user to search their own email, or by an Exchange administrator to search the
mailboxes of every user in a domain.

MailSniper is available for download here:
https://github.com/dafthack/MailSniper

OVERVIEW

Oftentimes, on penetration tests we find ourselves having elevated access
(Domain Admin) within an organization. Some firms stop there thinking that DA is
the end goal. But it’s not. “Getting DA” means nothing to most members of the
C-suite level if you can’t provide a picture of what that means in terms of
risk. One of the best ways to demonstrate risk to an organization is to show the
ability to gain access to sensitive data. Sensitive data to an organization
varies greatly from company to company. Some common examples of sensitive data
are: customer information, credit card numbers, Social Security numbers,
employee information, intellectual property, industrial control systems/SCADA,
health care data, etc.

According to the 2016 Mandiant M-Trends Report (PDF) in 2015, the median number
of days organizations were compromised before they detected the breach was 146.
Having that much time inside of any network allows attackers to slowly and
stealthily gain operational awareness, determine what the organization deems
sensitive data, locate sensitive data on the network, compromise sensitive data,
and ultimately exfiltrate it. How do we as pentesters go about providing that
same illustration in terms of risk to an organization when we typically only
have less than 5 days to complete an assessment?

In this blog post, I will detail a new tool I have developed to assist in the
location of sensitive data on a network by searching through every employee’s
email for specific terms. The tool is called MailSniper.

WHY SHOULD WE SEARCH EMAIL?

First off, there are already some great tools available for locating sensitive
data on a network. One of my favorite tools that I use on pretty much every
engagement is called PowerView (PS1) by Will Schroeder (@harmj0y). PowerView has
the ability to locate available shares on a network (Invoke-ShareFinder), and
search through files (Invoke-FileFinder) on them for specific terms in the file
names.

Searching network shares for files containing sensitive data has proved fruitful
for myself many times. But, this was not always the case. Occasionally networks
I have tested were so large that scanning every network share would not complete
during the testing window. Other times, maybe the attack surface was very small
in terms of alive hosts, or sensitive data is simply not being stored on network
shares at all. In these cases, previously I would resort to a more manual
approach to locating sensitive data, which would not always result in me
obtaining it.

This led me down the path to thinking about what else can we do to locate
sensitive data quickly in a network. Through discussions with Derek Banks
(@0xderuke) and Ethan Robish (@ethanrobish) at DerbyCon last year we came upon
the idea of searching email within an organization. Email is very often the
primary messaging system inside most organizations, and is the go-to medium for
a simple chit chat about daily business, password resets, or even corporate
strategy.

Having the power to search through email is huge when hunting for sensitive
data. For example, a simple search for the term “*password*” in the body and
subject of every email might return instructions on how to access certain
systems along with what credentials to use. At an energy company a search for
“*scada*” or “*industrial control system*” might return a conversation detailing
the location of sensitive ICS devices. At a financial institution a search for
“*credit card*” might reveal where employees have been sending credit card
numbers in cleartext over email. At a healthcare organization searching for
“*SSN*” or “*Social Security number*” could return potential health care data.

Here is a real-world example where searching for the term “*database*” in emails
revealed a conversation where a SysAdmin was telling his team where the location
of their internal KeePass database was migrated to along with the key file.

I copied the DB and key file to my testing system and opened it with KeePass (Of
course a second factor wasn’t required). All I needed was the key file that was
in the same directory as the DB. ./facepalm). It was a gold mine of pretty much
every credential you would ever want at an organization. All of the ‘sa’
passwords to databases, all of the network device passwords, passwords to login
to their security products, Windows administrative passwords, VPN Group ID/pass,
etc.

Most of the environments we see are typically running Microsoft Exchange for
email services. Microsoft Exchange already has a few tools for searching email
built-in to the server itself. From the Exchange Management Shell on the server
the Search-Mailbox cmdlet has some search functionality, but not at the level I
wanted. So, I set out on building a new tool to accomplish my goal of being able
to search all the mailboxes on a domain for specific terms.

MAILSNIPER.PS1

Available here: https://github.com/dafthack/MailSniper

To accomplish my goal I decided to start building a tool called MailSniper
written in PowerShell for a few reasons:

* PowerShell scripts are very portable
* Some basic scripts for connecting to Exchange Web Services already exist

Microsoft Exchange Server starting with version 2007 has implemented a web API
called Exchange Web Services (EWS). EWS allows for remote web calls to the
Exchange server to gather various data including calendars, contacts, and
messages. The ability to connect to Exchange remotely from any system on the
network provides highly flexible search capabilities.

I wanted this to be a tool that could operate completely remote from any host on
the network to the Exchange server, meaning an interactive session (RDP, VNC,
etc.) was not required. In doing research into Exchange Web Services I
discovered a few things that I found interesting that would ultimately lead to a
second function being developed.

My initial goal was to create a tool to search through every mailbox in a domain
for specific terms. Another highly useful function of Exchange Web Services I
hadn’t considered is to simply search the current user’s email alone. Because of
this possibility, I created a separate function inside of MailSniper.

The two main functions in MailSniper are Invoke-GlobalMailSearch and
Invoke-SelfSearch.

INVOKE-SELFSEARCH

Invoke-SelfSearch is a function that will simply search for terms in the current
user’s mailbox. The ability to search your own email in a pentesting situation
may seem at first like something that wouldn’t be all that useful. But when you
start to consider how often we as pentesters gain access to other user’s
credentials during engagements and combine that then with the ability to search
their email from a PowerShell script, it becomes much more powerful. It becomes
a brand new privilege escalation vector.

For example, let’s say that through password spraying we were able to gain
access to 10 user credentials, but none of them have any administrative access.
By searching through each one of their mailboxes for the terms “password”,
“creds”, or “credentials” we might very well find a number of conversations that
include information that would allow us to access other accounts or systems.

To search the current user’s mailbox first open a PowerShell terminal with the
‘-exec bypass’ option to bypass execution policy. Then, import the
MailSniper.ps1 module into a PowerShell terminal, and run the following
Invoke-SelfSearch command with the email address of your user:

Invoke-SelfSearch -Mailbox current-user@domain.com

This command will connect to the Exchange server auto-discovered from the email
address entered using Exchange Web Services where, by default, 100 of the latest
emails from the “Mailbox” will be searched through for the terms
“*pass*”,”*creds*”,”*credentials*”.

By default, the only option necessary for Invoke-SelfSearch is the -Mailbox
option. A full list of options that can be used are:

* ExchHostname – The hostname of the Exchange server to connect to if
Autodiscover is failing.
* Mailbox – Email address of the current user the PowerShell process is running
as (i.e. the only mailbox the account can search).
* Terms – Certain terms to search through each email subject and body for. By
default, the script looks for “*password*”,”*creds*”,”*credentials*”.
* ExchangeVersion – In order to communicate with Exchange Web Services the
correct version of Microsoft Exchange Server must be specified. By default,
this script tries “Exchange2010”. Additional options to try are
Exchange2007_SP1, Exchange2010, Exchange2010_SP1, Exchange2010_SP2,
Exchange2013, or Exchange2013_SP1.
* OutputCsv – Outputs the results of the search to a CSV file.
* MailsPerUser – The total number of latest emails to search through in the
mailbox. The default is set to the latest 100 emails in the inbox.

INVOKE-GLOBALMAILSEARCH

Invoke-GlobalMailSearch is a function that will search through all mailboxes on
an Exchange server. The process to search through every mailbox is a bit more
complicated than just searching the mailbox of the current user. For starters
just getting a Domain Admin account doesn’t necessarily mean you now have access
to everyone’s mailbox. By default, the “Domain Admins” group does not have “full
access” rights to mailboxes on Exchange.

The account group that has complete and utter control of everything related to
Exchange is the “Exchange Organization Administrators” group. (FYI This group
name varies between Exchange versions. In Exchange 2013 the group is called
“Organization Management”). In order to make this script work, you will need an
account from that group. In the few tests I have run, it appears that “Domain
Admins” has the ability to grant this access to any account. So, if typical user
hunting with doesn’t yield you an Exchange admin account you can always resort
to adding your own user to the group with a DA. From a workstation on the domain
the following command can be run as a domain admin to add a user to the
“Exchange Organization Administrators” group:

C:> net groups “Exchange Organization Administrators” <username-of-your-user> /DOMAIN /ADD

In researching deeper into accessing other users’ mailboxes I came across what
is called the “ApplicationImpersonation” role. The “ApplicationImpersonation”
role is a Microsoft Exchange server role that, when granted to a user, allows
them to impersonate other users when accessing mailboxes. This role can be
granted at the Exchange Management Shell with the following command:

New-ManagementRoleAssignment -Name:impersonationAssignmentName
-Role:ApplicationImpersonation -User:username-of-impersonation-user

Having this role assigned to a user I controlled allowed for accessing other
users’ mailboxes. Exchange Management Shell was required to make this change.
This is installed on the Exchange server itself. In order to perform this action
remotely, Invoke-GlobalMailSearch sets up a PowerShell remoting session to the
Exchange server as the Exchange admin and then imports the Microsoft.Exchange
configuration which includes all of the Exchange Management Shell commands.

After the PS-Remoting session is established Invoke-GlobalMailSearch grants a
specific user passed in via the -ImpersonationAccount option the
ApplicationImpersonation role. After this role has been granted the
Invoke-GlobalMailSearch function creates a list of all mailboxes in the Exchange
database using the Exchange Management Shell command ‘Get-Mailbox | Select Name
-ExpandProperty EmailAddresses’. It is also possible to pass in a custom list of
email addresses with the -MailList flag.

Invoke-GlobalMailSearch then connects to Exchange Web Services using the account
with the impersonation role to gather a number of emails from each mailbox and
ultimately searches through them for specific terms. By default the script
searches for “*password*”,”*creds*”,”*credentials*”.

To search all mailboxes on an Exchange server import the MailSniper.ps1 module
into a PowerShell terminal, then run the following command changing out the
options to match the target environment:

Invoke-GlobalMailSearch -ImpersonationAccount current-username
ExchHostname Exch01 -OutputCsv global-email-search.csv

This command will connect to the Exchange server located at ‘Exch01’ and prompt
for administrative credentials. Once administrative credentials have been
entered a PS remoting session is set up to the Exchange server where the
ApplicationImpersonation role is then granted to the “current-username” user. A
list of all email addresses in the domain is then gathered, followed by a
connection to Exchange Web Services as “current-username” where, by default, 100
of the latest emails from each mailbox will be searched through for the terms
“*pass*”,”*creds*”,”*credentials*” and output to a CSV file called
global-email-search.csv.

The CSV that is output should look something like the screenshot below.

Another example of command for Invoke-GlobalMailSearch would be:

Invoke-GlobalMailSearch -ImpersonationAccount current-username
AutoDiscoverEmail user@domain.com -MailsPerUser 1000 -Terms
"*passwords*","*super secret*","*industrial control systems*","*scada*","*launch
codes*" -ExchangeVersion Exchange2010 -OutputCsv example2search.csv
AdminUserName domain\adminusername -AdminPassword
SuperSecurePassword123

This command will connect to the Exchange server auto-discovered from the email
address entered, and automatically login with the administrative credentials
passed on the command line. A PS-Remoting session is then setup to the Exchange
server where the ApplicationImpersonation role is then granted to the
“current-username” user. A list of all email addresses in the domain is then
gathered, followed by a connection to Exchange Web Services using the Exchange
Version ‘Exchange2010’ as “current-username” where 1,000 of the latest emails
from each mailbox will be searched through for the terms “*passwords*”,”*super
secret*”,”*industrial control systems*”,”*scada*”,”*launch codes*” and output to
a CSV called example2search.csv.

A full list of options that can be used with Invoke-GlobalMailSearch are:

* ImpersonationAccount – Username of the current user account the PowerShell
process is running as. This user will be granted the ApplicationImpersonation
role on Exchange.
* ExchHostname – The hostname of the Exchange server to connect to if
Autodiscover is failing.
* AutoDiscoverEmail – A valid email address that will be used to autodiscover
where the Exchange server is located.
* AdminUserName – The username of an Exchange administrator including the
domain (i.e. domain\adminusername).
* AdminPassword – The password to the Exchange administrator account specified
with AdminUserName.
* Terms – Certain terms to search through each email subject and body for. By
default, the script looks for “*password*”,”*creds*”,”*credentials*”.
* ExchangeVersion – In order to communicate with Exchange Web Services the
correct version of Microsoft Exchange Server must be specified. By default,
this script tries “Exchange2010”. Additional options to try are
Exchange2007_SP1, Exchange2010, Exchange2010_SP1, Exchange2010_SP2,
Exchange2013, or Exchange2013_SP1.
* OutputCsv – Outputs the results of the search to a CSV file.
* MailsPerUser – The total number of latest emails to search through in the
mailbox. The default is set to the latest 100 emails in the inbox.
* EmailList – A text file listing email addresses to search (one per line).

DEMO VIDEO

CONCLUSION

Having the ability to now search through every mailbox on a domain allows us as
penetration testers to discover sensitive data on a network faster. It might
also prove to be useful for escalating privileges. From a blue team perspective,
it could even be used regularly to check if employees are sending sensitive
information in emails that are against company policy. As of this blog post
MailSniper is very much in beta form and is under development. Some future
objectives for the tool are already being planned out as well.

Download MailSniper here: https://github.com/dafthack/MailSniper

--------------------------------------------------------------------------------

Wild West Hackin’ Fest – Most Hands-On Infosec Con!

Join us at Wild West Hackin’ Fest in Deadwood — September 23-25th, 2020. Learn
more: https://www.wildwesthackinfest.com/

--------------------------------------------------------------------------------

Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts,
and podcasts.

Join 3,811 other subscribers

Email Address

SHARE THIS:

* Click to share on Twitter (Opens in new window)
* Click to share on LinkedIn (Opens in new window)
* Click to share on Facebook (Opens in new window)
* Click to print (Opens in new window)
*

ABUSING EXCHANGE MAILBOX PERMISSIONS WITH MAILSNIPER

Beau Bullock // Overview Microsoft Exchange users have the power to grant other
users various levels of access to their mailbox folders. For example, a user can
grant other users access to read emails from their Inbox. If a user (or Exchange
administrator) isn’t careful and sets permissions incorrectly they…

April 21, 2017

In "External/Internal"

BYPASSING TWO-FACTOR AUTHENTICATION ON OWA & OFFICE365 PORTALS

Beau Bullock // Full Disclosure: Black Hills Information Security believes in
responsible disclosure of vulnerabilities. This vulnerability was reported to
Microsoft on September 28th, 2016. As of the publication date of this
post(November 2nd, 2016) Microsoft have not responded with any updates other
than to say there are no updates. The…

November 2, 2016

In "External/Internal"

ATTACKING EXCHANGE WITH MAILSNIPER

Beau Bullock // I’ve added in a few modules to MailSniper that will assist in
remote attacks against organizations that are hosting an externally facing
Exchange server (OWA or EWS). Specifically, the modules are
Get-GlobalAddressList, Invoke-PasswordSprayOWA, and Invoke-PasswordSprayEWS.
Get-GlobalAddressList Very often on external penetration tests we perform a
reconnaissance phase that…

October 3, 2016

In "External/Internal"

Turning a Raspberry Pi 3 Into a Cloaking Device With goSecure VPN John’s Talk
from DerbyCon 2016

16 COMMENTS

1. Fred
September 25, 2016 @ 4:47 pm

Will this work with O365?

* Beau
September 26, 2016 @ 7:29 pm

Yes. Office365 exposes the Exchange Web Services API externally here:
https://outlook.office365.com/EWS/Exchange.asmx. Autodiscover should
automatically locate that too. There would likely be a couple issues with
searching all mailboxes though. First, you still need a user who has a
privilege level to view each user’s mailbox. The current way the tool is
setup the GlobalMailSearch will likely fail with O365. The second problem
is that you would need a new method of gathering emails.

I will add this as an issue to the repo to work on! Thanks!

2. Pralhad
September 26, 2016 @ 1:31 pm

Hey Beau,

Is it possible to read the email of the only one user remotely, whose
credentials are compromised during Internal engagement ?

* Beau
September 26, 2016 @ 7:34 pm

Hey Pralhad, If I understand your question correctly it sounds like you
are asking if it is possible to connect to Exchange mailboxes remotely
over the Internet with credentials. If an organization has Outlook Web
Access setup and haven’t disabled Exchange Web Services then yes it is
possible to use this to read email of a single user remotely over the
Internet. The easiest way to test it is to try to connect to the following
URL (modifying the domain accordingly) to determine if EWS is there:
https://owa-subdomain.domain.com/EWS/Exchange.asmx

3. Aaron Henderson
September 30, 2016 @ 7:41 am

When I run this against my server (Exchange 2013) I get a warning for every
user that

“[*] Warning: : does not appear to have a mailbox.”

Also, when it is going though each user it is using the local domain and the
mail domain.

* Beau
September 30, 2016 @ 7:49 am

Hey Aaron,

Can you shoot me an email at beau blackhillsinfosec.com with a bit more
info please? Specifically, can you send me the command you ran, and what
you mean by “it is using the local domain and the mail domain”?

-Beau

4. Jason
April 24, 2017 @ 8:46 am

Will this work on powershell 5? I cannot seem to import the module.

* Beau
April 24, 2017 @ 9:01 am

Yes, it should. PS version 5 is what I mainly test it on. Are you getting
any errors?

* Jason
April 24, 2017 @ 9:14 am

PS C:\PenTesting> Import-Module .\MailSniper.ps1
At C:\PenTesting\MailSniper.ps1:120 char:13
+ <a href="/business" class="js-selected-navigation-item na …
+ ~
The '<' operator is reserved for future use.
At C:\PenTesting\MailSniper.ps1:122 char:13
+ <a href="/explore" class="js-selected-navigation-item nav …
+ ~
The '<' operator is reserved for future use.
At C:\PenTesting\MailSniper.ps1:124 char:13
+ <a href="/pricing" class="js-selected-navigation-item nav …
+ ~
The '<' operator is reserved for future use.
At C:\PenTesting\MailSniper.ps1:126 char:11
+
+ ~
The ‘<input name="utf8" type="hidden" value="✓" …
+ ~
The ampersand (&) character is not allowed. The & operator is reserved
for
future use; wrap an ampersand in double quotation marks ("&") to pass it
as
part of a string.
At C:\PenTesting\MailSniper.ps1:12013 char:11
+ © 2017 <span title="0.25292s from github-fe-134ed95.cp …
+ ~
The ampersand (&) character is not allowed. The & operator is reserved
for
future use; wrap an ampersand in double quotation marks ("&") to pass it
as
part of a string.
At C:\PenTesting\MailSniper.ps1:12013 char:23
+ © 2017 <span title="0.25292s from github-fe-134ed95.cp …
+ ~
The '<' operator is reserved for future use.
At C:\PenTesting\MailSniper.ps1:12013 char:29
+ … 2017 GitHub’ in expression or
statement.
At C:\PenTesting\MailSniper.ps1:12013 char:101
+ … 92s from github-fe-134ed95.cp1-iad.github.net”>GitHub, Inc.</l …
+ ~
Missing argument in parameter list.
At C:\PenTesting\MailSniper.ps1:12032 char:12
+ You can't perform that action at this time.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The string is missing the terminator: '.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordEx
ception
+ FullyQualifiedErrorId : RedirectionNotSupported

* Beau
April 24, 2017 @ 11:13 am

It looks like you have some of Github’s HTML in your ps1. Make sure you
are just copying the raw PowerShell code. You can get that by cloning
the repo or copying it from here:
https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1

5. Jason
April 24, 2017 @ 11:33 am

done deal, thank you!

6. mark
May 11, 2017 @ 12:21 pm

Nice tool Beau, thanks for making it available.

I’m running Invoke-GlobalMailSearch on an exchange server with ~ 40 users,
each user account has an email address in 10 internet domains. The
emailaddresses property contains each of the 10 addresses.

To avoid scanning the 400 mailboxes, I replaced ‘-expandproperty
emailaddresses’ with ‘-expandproperty primarySmtpAddress’, to prevent
looping through the same mailboxes 10 different times and making me go edit
the resulting csv file to remove all the duplicates.

I also added a couple of add-members to add the foldername and Mailbox to
the $item so that could be exported into the csv. And when an attachment
matches the search, I added that to the $item so it can go into the
resulting CSV too.

Thanks again, great stuff.

7. Spencer Fermo
July 17, 2017 @ 11:24 am

Hey Beau, I have a few questions (all for the Invoke-GlobalMailSearch
cmdlet): are the terms case sensitive? What term would I input to simply
export ALL emails only once? What specific mailboxes does it search?

Thank you for your response. I do apologize if these questions are very
easily answered, I am extremely new to power shell.

* Spencer
July 17, 2017 @ 12:06 pm

Oops, sorry for posting the same thing twice.

8. Spencer
July 17, 2017 @ 11:35 am

Hey Beau, I have a few questions for your Invoke-GlobalMailSearch cmdlet: is
the ‘terms’ parameter case sensitive? Exactly what mailboxes is the cmdlet
searching and pulling from? What specific term should be entered to simply
export ALL emails just once?

Thank you for your response, I do apologize if these questions are easily
answered, I am very new to Power Shell.

* Beau
July 17, 2017 @ 12:25 pm

Hey Spencer,

Terms is not case-sensitive. It uses the PowerShell -like operator which
doesn’t care about case. By default Invoke-GlobalMailSearch and
Invoke-SelfSearch just search the “Inbox” folder. You can specify other
folders with the -Folder option. If you want to search all folders for a
user specify “all” after -Folder. If you user -Terms “*” it should get
everything.

Hope that helps!

*
*
*
*
*
*

LOOKING FOR SOMETHING?

SUBSCRIBE TO THE BHIS BLOG

Don't get left in the dark! Enter your email address and every time a post goes
live you'll get an instant notification! We'll also add you to our webcast list,
so you won't miss our occasional emails about upcoming events! (We promise,
we're not spammy!)

Email Address

BROWSE BY CATEGORY

Select Category Backdoors & Breaches (4) Blue Team (70) Blue Team Tools (31)
C2 (26) DNSTAP (1) External/Internal (44) Finding (7) Fun & Games (54)
General InfoSec Tips & Tricks (43) Hardware Hacking (16) How-To (182) Hunt
Teaming (9) Informational (225) InfoSec 101 (165) InfoSec 201 (29) InfoSec
301 (8) LLMNR (3) Mobile (4) News (60) Password Cracking (10) Password
Spray (12) Phishing (16) Physical (8) Podcasts (106) Recon (11) Red
Team (178) Red Team Tools (75) Social Engineering (6) Web App (14)
Webcasts (113) Wireless (9)

www.blackhillsinfosec.com Open in urlscan Pro 2606:4700:10::6816:933 Public Scan

Form analysis 4 forms found in the DOM

POST #

GET https://www.blackhillsinfosec.com/

POST #

GET https://www.blackhillsinfosec.com/

Text Content

www.blackhillsinfosec.com Open in urlscan Pro
2606:4700:10::6816:933 Public Scan

Form analysis
4 forms found in the DOM