Saturday, February 10, 2018

Internal AD and Company Info from Offline Address Book

Sync'd corporate data that leaves voluntarily

It's always interesting to see the types of data that are part of normal operations and even in controlled environments that can become useful to an attacker.  Here is a quick dive into what can be gleaned from a few files within Microsoft Outlook that may be available if an attacker compromised a single PC or laptop.

It's all about that AppData

With this folder lies a tremendous wealth of info for an attacker to use to determine what's happening on your internal network, your AD structure, or even who's who within your IT department.
Let's first look at the "Offline Address Books" folder.

Using just Notepad.exe, we can examine the "udetails.oab" file.

Within this, a number of details can be seen:
  • SMTP addresses
  • Windows User ID's
  • OU structure
  • Internal Certificate Authorities
  • Notes and Descriptions
  • Home Directory

Using this data, you could build a more reliable target list for the company.  Digging into each user could allow for a better understanding of which users are admins, which are in groups that are exempted from certain policies, who's a full time, part time, or consultant, or even who's being investigated internally by the company or under litigation hold.

The 2 areas to address leaking this type of info are as follows:

  1. Do you allow company employees to access their email using a full Outlook client to their personal PCs? If so, this data is out of your hands and susceptible to whatever hits their device
  2. Do you regularly leverage the notes section of AD to track changes? If so, this is view-able by not just any employee, but any attacker that can access these files listed above.