From ee0f793e49912c61f32cf8fb5d13eb6fbaf19307 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sun, 12 May 2019 17:54:53 +0200
Subject: [PATCH] chg: [o365-exchange-techniques] Persistence kill-chain added
 (WiP)

---
 clusters/o365-exchange-techniques.json | 60 ++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/clusters/o365-exchange-techniques.json b/clusters/o365-exchange-techniques.json
index 5dbe500..fdcd02e 100644
--- a/clusters/o365-exchange-techniques.json
+++ b/clusters/o365-exchange-techniques.json
@@ -189,6 +189,66 @@
       },
       "uuid": "cf8df948-0332-4ec7-94f3-3f6d54bbcbb9",
       "value": "On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler"
+    },
+    {
+      "description": "O365 - Add Mail forwarding rule",
+      "meta": {
+        "kill_chain": [
+          "tactics:Persistence"
+        ]
+      },
+      "uuid": "80308e39-11e9-45b2-b6d2-f13f3de509ab",
+      "value": "O365 - Add Mail forwarding rule"
+    },
+    {
+      "description": "O365 - Add Global admin account",
+      "meta": {
+        "kill_chain": [
+          "tactics:Persistence"
+        ]
+      },
+      "uuid": "a9c1f718-b9bf-4efc-9fa1-852b6c93f725",
+      "value": "O365 - Add Global admin account"
+    },
+    {
+      "description": "O365 - Delegate Tenant Admin",
+      "meta": {
+        "kill_chain": [
+          "tactics:Persistence"
+        ]
+      },
+      "uuid": "80308e39-11e9-45b2-b6d2-f13f3de509ab",
+      "value": "O365 - Delegate Tenant Admin"
+    },
+    {
+      "description": "End Point - Persistence throught Outlook Home Page: SensePost Ruler",
+      "meta": {
+        "kill_chain": [
+          "tactics:Persistence"
+        ]
+      },
+      "uuid": "708790c8-3e6f-4dd3-8f89-0651ef71dfe0",
+      "value": "End Point - Persistence throught Outlook Home Page: SensePost Ruler"
+    },
+    {
+      "description": "End Point - Persistence throught custom Outlook form",
+      "meta": {
+        "kill_chain": [
+          "tactics:Persistence"
+        ]
+      },
+      "uuid": "aadc2552-97db-419c-a414-5c1f862d38ef",
+      "value": "End Point - Persistence throught custom Outlook form"
+    },
+    {
+      "description": "End Point - Create Hidden Mailbox Rule",
+      "meta": {
+        "kill_chain": [
+          "tactics:Persistence"
+        ]
+      },
+      "uuid": "d023f254-466b-436b-acfd-beea54c323b1",
+      "value": "End Point - Create Hidden Mailbox Rule"
     }
   ],
   "version": 1