From 3a75c6a3dffa71903a84919edce6cc931a3c0ac4 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sun, 12 May 2019 12:07:30 +0200
Subject: [PATCH] chg: [o365-exchange-techniques] Compromise row added (WiP)

---
 clusters/o365-exchange-techniques.json | 80 ++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)

diff --git a/clusters/o365-exchange-techniques.json b/clusters/o365-exchange-techniques.json
index a79baa8..5dbe500 100644
--- a/clusters/o365-exchange-techniques.json
+++ b/clusters/o365-exchange-techniques.json
@@ -109,6 +109,86 @@
       },
       "uuid": "f227caf6-9399-4ac3-bab4-010f66853abb",
       "value": "On-Prem Exchange - OWA version discovery"
+    },
+    {
+      "description": "AAD - Password Spray: MailSniper",
+      "meta": {
+        "kill_chain": [
+          "tactics:Compromise"
+        ]
+      },
+      "uuid": "933ec08d-a6d4-4ced-b732-4cb0331e7799",
+      "value": "AAD - Password Spray: MailSniper"
+    },
+    {
+      "description": "AAD - Password Spray: CredKing",
+      "meta": {
+        "kill_chain": [
+          "tactics:Compromise"
+        ]
+      },
+      "uuid": "5670ca90-38cd-4825-bd83-1bdb31fd5ea3",
+      "value": "AAD - Password Spray: CredKing"
+    },
+    {
+      "description": "O365 - Bruteforce of Autodiscover: SensePost Ruler",
+      "meta": {
+        "kill_chain": [
+          "tactics:Compromise"
+        ]
+      },
+      "uuid": "d66c1ead-4dd3-4968-b6fe-faf41b7fb88d",
+      "value": "O365 - Bruteforce of Autodiscover: SensePost Ruler"
+    },
+    {
+      "description": "O365 - Phishing for credentials",
+      "meta": {
+        "kill_chain": [
+          "tactics:Compromise"
+        ]
+      },
+      "uuid": "eda57f15-029c-4465-9401-f9dafc6d366c",
+      "value": "O365 - Phishing for credentials"
+    },
+    {
+      "description": "O365 - Phishing using OAuth app",
+      "meta": {
+        "kill_chain": [
+          "tactics:Compromise"
+        ]
+      },
+      "uuid": "61589df6-6848-4866-8613-8a4a7478abef",
+      "value": "O365 - Phishing using OAuth app"
+    },
+    {
+      "description": "O365 - 2FA MITM Phishing: evilginx2",
+      "meta": {
+        "kill_chain": [
+          "tactics:Compromise"
+        ]
+      },
+      "uuid": "fa1087c8-012d-4ef6-9eb3-5b5a6fb94c02",
+      "value": "O365 - 2FA MITM Phishing: evilginx2"
+    },
+    {
+      "description": "On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS",
+      "meta": {
+        "kill_chain": [
+          "tactics:Compromise"
+        ]
+      },
+      "uuid": "8ffe80b9-0213-40c6-aeca-8877bdca8741",
+      "value": "On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS"
+    },
+    {
+      "description": "On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler",
+      "meta": {
+        "kill_chain": [
+          "tactics:Compromise"
+        ]
+      },
+      "uuid": "cf8df948-0332-4ec7-94f3-3f6d54bbcbb9",
+      "value": "On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler"
     }
   ],
   "version": 1