From 5d1565152cb88dfba911f310bb384552f64aa311 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sun, 12 May 2019 18:19:00 +0200
Subject: [PATCH] chg: [o365-exchange-techniques] Expansion added (WiP)

---
 clusters/o365-exchange-techniques.json | 80 ++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)

diff --git a/clusters/o365-exchange-techniques.json b/clusters/o365-exchange-techniques.json
index fdcd02e..2f9816f 100644
--- a/clusters/o365-exchange-techniques.json
+++ b/clusters/o365-exchange-techniques.json
@@ -249,6 +249,86 @@
       },
       "uuid": "d023f254-466b-436b-acfd-beea54c323b1",
       "value": "End Point - Create Hidden Mailbox Rule"
+    },
+    {
+      "description": "O365 - MailSniper: Search Mailbox for credentials",
+      "meta": {
+        "kill_chain": [
+          "tactics:Expansion"
+        ]
+      },
+      "uuid": "fccf7c5a-7d2c-413b-ae45-d5ab226c8ba8",
+      "value": "O365 - MailSniper: Search Mailbox for credentials"
+    },
+    {
+      "description": "O365 - Search for Content with eDiscovery",
+      "meta": {
+        "kill_chain": [
+          "tactics:Expansion"
+        ]
+      },
+      "uuid": "fe65c7ed-7129-4591-a82e-a223b0cdbf14",
+      "value": "O365 - Search for Content with eDiscovery"
+    },
+    {
+      "description": "O365 - Account Takeover: Add-MailboxPermission",
+      "meta": {
+        "kill_chain": [
+          "tactics:Expansion"
+        ]
+      },
+      "uuid": "19f22ecb-8470-4f69-a763-46a19afe6c5d",
+      "value": "O365 - Account Takeover: Add-MailboxPermission"
+    },
+    {
+      "description": "O365 - Pivot to On-Prem host: SensePost Ruler",
+      "meta": {
+        "kill_chain": [
+          "tactics:Expansion"
+        ]
+      },
+      "uuid": "c0010a9d-666e-4cfd-a9b3-21f5861ecdf6",
+      "value": "O365 - Pivot to On-Prem host: SensePost Ruler"
+    },
+    {
+      "description": "O365 - Exchange Tasks for C2: MWR",
+      "meta": {
+        "kill_chain": [
+          "tactics:Expansion"
+        ]
+      },
+      "uuid": "9ada2a83-c632-4c9c-91cd-b1d7b947e44a",
+      "value": "O365 - Exchange Tasks for C2: MWR"
+    },
+    {
+      "description": "O365 - Send Internal Email",
+      "meta": {
+        "kill_chain": [
+          "tactics:Expansion"
+        ]
+      },
+      "uuid": "685af033-af7b-4582-a539-5f1f9080fd98",
+      "value": "O365 - Send Internal Email"
+    },
+    {
+      "description": "On-Prem Exchange - Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B)",
+      "meta": {
+        "kill_chain": [
+          "tactics:Expansion"
+        ]
+      },
+      "uuid": "0f33ff1e-2305-4239-8d30-38edcfe2511a",
+      "value": "On-Prem Exchange - Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B)"
+    },
+    {
+      "description": "On-Prem Exchange - Delegation",
+      "meta": {
+        "kill_chain": [
+          "tactics:Expansion"
+        ]
+      },
+      "uuid": "a69da576-7ed2-4b29-8c4a-6c16bd2c2a54",
+      "value": "On-Prem Exchange - Delegation"
     }
   ],
   "version": 1