- Tactics
- Collection
- Platforms
- Windows
- Reference
- attack.mitre.org/techniques/T1114.001
Description
Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.(Citation: Microsoft Outlook Files)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Collection tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1005 — Data from Local System
- T1025 — Data from Removable Media
- T1039 — Data from Network Shared Drive
- T1056 — Input Capture
- T1074 — Data Staged
- T1113 — Screen Capture
- T1114 — Email Collection
- T1115 — Clipboard Data
- T1119 — Automated Collection
- T1123 — Audio Capture
- T1125 — Video Capture
- T1185 — Browser Session Hijacking