From a2df5c46d8452ad295e257e38f59777052878933 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 12 May 2019 09:51:41 +0200 Subject: [PATCH] chg: [o365-exchange-techniques] [WiP] based on John Lambert matrix techniques --- clusters/o365-exchange-techniques.json | 115 +++++++++++++++++++++++++ galaxies/o365-exchange-techniques.json | 18 ++++ 2 files changed, 133 insertions(+) create mode 100644 clusters/o365-exchange-techniques.json create mode 100644 galaxies/o365-exchange-techniques.json diff --git a/clusters/o365-exchange-techniques.json b/clusters/o365-exchange-techniques.json new file mode 100644 index 0000000..a79baa8 --- /dev/null +++ b/clusters/o365-exchange-techniques.json @@ -0,0 +1,115 @@ +{ + "authors": [ + "John Lambert", + "Alexandre Dulaunoy" + ], + "category": "guidelines", + "description": "o365-exchange-techniques - Office365/Exchange related techniques by @johnLaT", + "name": "o365-exchange-techniques", + "source": "Open Sources", + "type": "cloud-security", + "uuid": "44574c7e-b732-4466-a7be-ef363374013a", + "values": [ + { + "description": "AAD - Dump users and groups with Azure AD", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "fab70361-329a-410a-9dc4-831ecd8df39f", + "value": "AAD - Dump users and groups with Azure AD" + }, + { + "description": "O365 - Get Global Address List: MailSniper", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "21833216-1b8a-43a9-b51e-500c67a900a8", + "value": "O365 - Get Global Address List: MailSniper" + }, + { + "description": "O365 - Find Open Mailboxes: MailSniper", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "9e3af2e1-90a6-4d69-ba82-cb0c99401713", + "value": "O365 - Find Open Mailboxes: MailSniper" + }, + { + "description": "O365 - User account enumeration with ActiveSync", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "53361eef-39b0-4c46-a009-0b4e3a0e286a", + "value": "O365 - User account enumeration with ActiveSync" + }, + { + "description": "End Point - Search host for Azure Credentials: SharpCloud", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "5c0c2b04-77e5-4f50-a0b8-206d7cc9946a", + "value": "End Point - Search host for Azure Credentials: SharpCloud" + }, + { + "description": "On-Prem Exchange - Portal Recon", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "2cd547bf-b093-4dab-b9e5-5172049cbc0d", + "value": "On-Prem Exchange - Portal Recon" + }, + { + "description": "On-Prem Exchange - Enumerate domain accounts: using Skype4B", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "651fdde4-09ed-48b7-9620-545d7dcec251", + "value": "On-Prem Exchange - Enumerate domain accounts: using Skype4B" + }, + { + "description": "On-Prem Exchange - Enumerate domain accounts: OWA & Exchange", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "008c46de-4667-4e40-9bea-74e91b6587fd", + "value": "On-Prem Exchange - Enumerate domain accounts: OWA & Exchange" + }, + { + "description": "On-Prem Exchange - Enumerate domain accounts: FindPeople", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "435e9319-88ed-4555-be84-a5322dc997a4", + "value": "On-Prem Exchange - Enumerate domain accounts: FindPeople" + }, + { + "description": "On-Prem Exchange - OWA version discovery", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "f227caf6-9399-4ac3-bab4-010f66853abb", + "value": "On-Prem Exchange - OWA version discovery" + } + ], + "version": 1 +} diff --git a/galaxies/o365-exchange-techniques.json b/galaxies/o365-exchange-techniques.json new file mode 100644 index 0000000..204adf6 --- /dev/null +++ b/galaxies/o365-exchange-techniques.json @@ -0,0 +1,18 @@ +{ + "description": "o365-exchange-techniques - Office365/Exchange related techniques by @johnLaTwC", + "icon": "map", + "kill_chain_order": { + "tactics": [ + "Recon", + "Compromise", + "Persistence", + "Expansion", + "Actions on Intent" + ] + }, + "name": "o365-exchange-techniques", + "namespace": "misp", + "type": "cloud-security", + "uuid": "44574c7e-b732-4466-a7be-ef363374013a", + "version": 1 +}