misp-galaxy/clusters/o365-exchange-techniques.json

{
  "authors": [
    "John Lambert",
    "Alexandre Dulaunoy"
  ],
  "category": "guidelines",
  "description": "o365-exchange-techniques - Office365/Exchange related techniques by @johnLaT",
  "name": "o365-exchange-techniques",
  "source": "Open Sources",
  "type": "cloud-security",
  "uuid": "44574c7e-b732-4466-a7be-ef363374013a",
  "values": [
    {
      "description": "AAD - Dump users and groups with Azure AD",
      "meta": {
        "kill_chain": [
          "tactics:Recon"
        ]
      },
      "uuid": "fab70361-329a-410a-9dc4-831ecd8df39f",
      "value": "AAD - Dump users and groups with Azure AD"
    },
    {
      "description": "O365 - Get Global Address List: MailSniper",
      "meta": {
        "kill_chain": [
          "tactics:Recon"
        ]
      },
      "uuid": "21833216-1b8a-43a9-b51e-500c67a900a8",
      "value": "O365 - Get Global Address List: MailSniper"
    },
    {
      "description": "O365 - Find Open Mailboxes: MailSniper",
      "meta": {
        "kill_chain": [
          "tactics:Recon"
        ]
      },
      "uuid": "9e3af2e1-90a6-4d69-ba82-cb0c99401713",
      "value": "O365 - Find Open Mailboxes: MailSniper"
    },
    {
      "description": "O365 - User account enumeration with ActiveSync",
      "meta": {
        "kill_chain": [
          "tactics:Recon"
        ]
      },
      "uuid": "53361eef-39b0-4c46-a009-0b4e3a0e286a",
      "value": "O365 - User account enumeration with ActiveSync"
    },
    {
      "description": "End Point - Search host for Azure Credentials: SharpCloud",
      "meta": {
        "kill_chain": [
          "tactics:Recon"
        ]
      },
      "uuid": "5c0c2b04-77e5-4f50-a0b8-206d7cc9946a",
      "value": "End Point - Search host for Azure Credentials: SharpCloud"
    },
    {
      "description": "On-Prem Exchange - Portal Recon",
      "meta": {
        "kill_chain": [
          "tactics:Recon"
        ]
      },
      "uuid": "2cd547bf-b093-4dab-b9e5-5172049cbc0d",
      "value": "On-Prem Exchange - Portal Recon"
    },
    {
      "description": "On-Prem Exchange - Enumerate domain accounts: using Skype4B",
      "meta": {
        "kill_chain": [
          "tactics:Recon"
        ]
      },
      "uuid": "651fdde4-09ed-48b7-9620-545d7dcec251",
      "value": "On-Prem Exchange - Enumerate domain accounts: using Skype4B"
    },
    {
      "description": "On-Prem Exchange - Enumerate domain accounts: OWA & Exchange",
      "meta": {
        "kill_chain": [
          "tactics:Recon"
        ]
      },
      "uuid": "008c46de-4667-4e40-9bea-74e91b6587fd",
      "value": "On-Prem Exchange - Enumerate domain accounts: OWA & Exchange"
    },
    {
      "description": "On-Prem Exchange - Enumerate domain accounts: FindPeople",
      "meta": {
        "kill_chain": [
          "tactics:Recon"
        ]
      },
      "uuid": "435e9319-88ed-4555-be84-a5322dc997a4",
      "value": "On-Prem Exchange - Enumerate domain accounts: FindPeople"
    },
    {
      "description": "On-Prem Exchange - OWA version discovery",
      "meta": {
        "kill_chain": [
          "tactics:Recon"
        ]
      },
      "uuid": "f227caf6-9399-4ac3-bab4-010f66853abb",
      "value": "On-Prem Exchange - OWA version discovery"
    },
    {
      "description": "AAD - Password Spray: MailSniper",
      "meta": {
        "kill_chain": [
          "tactics:Compromise"
        ]
      },
      "uuid": "933ec08d-a6d4-4ced-b732-4cb0331e7799",
      "value": "AAD - Password Spray: MailSniper"
    },
    {
      "description": "AAD - Password Spray: CredKing",
      "meta": {
        "kill_chain": [
          "tactics:Compromise"
        ]
      },
      "uuid": "5670ca90-38cd-4825-bd83-1bdb31fd5ea3",
      "value": "AAD - Password Spray: CredKing"
    },
    {
      "description": "O365 - Bruteforce of Autodiscover: SensePost Ruler",
      "meta": {
        "kill_chain": [
          "tactics:Compromise"
        ]
      },
      "uuid": "d66c1ead-4dd3-4968-b6fe-faf41b7fb88d",
      "value": "O365 - Bruteforce of Autodiscover: SensePost Ruler"
    },
    {
      "description": "O365 - Phishing for credentials",
      "meta": {
        "kill_chain": [
          "tactics:Compromise"
        ]
      },
      "uuid": "eda57f15-029c-4465-9401-f9dafc6d366c",
      "value": "O365 - Phishing for credentials"
    },
    {
      "description": "O365 - Phishing using OAuth app",
      "meta": {
        "kill_chain": [
          "tactics:Compromise"
        ]
      },
      "uuid": "61589df6-6848-4866-8613-8a4a7478abef",
      "value": "O365 - Phishing using OAuth app"
    },
    {
      "description": "O365 - 2FA MITM Phishing: evilginx2",
      "meta": {
        "kill_chain": [
          "tactics:Compromise"
        ]
      },
      "uuid": "fa1087c8-012d-4ef6-9eb3-5b5a6fb94c02",
      "value": "O365 - 2FA MITM Phishing: evilginx2"
    },
    {
      "description": "On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS",
      "meta": {
        "kill_chain": [
          "tactics:Compromise"
        ]
      },
      "uuid": "8ffe80b9-0213-40c6-aeca-8877bdca8741",
      "value": "On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS"
    },
    {
      "description": "On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler",
      "meta": {
        "kill_chain": [
          "tactics:Compromise"
        ]
      },
      "uuid": "cf8df948-0332-4ec7-94f3-3f6d54bbcbb9",
      "value": "On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler"
    },
    {
      "description": "O365 - Add Mail forwarding rule",
      "meta": {
        "kill_chain": [
          "tactics:Persistence"
        ]
      },
      "uuid": "80308e39-11e9-45b2-b6d2-f13f3de509ab",
      "value": "O365 - Add Mail forwarding rule"
    },
    {
      "description": "O365 - Add Global admin account",
      "meta": {
        "kill_chain": [
          "tactics:Persistence"
        ]
      },
      "uuid": "a9c1f718-b9bf-4efc-9fa1-852b6c93f725",
      "value": "O365 - Add Global admin account"
    },
    {
      "description": "O365 - Delegate Tenant Admin",
      "meta": {
        "kill_chain": [
          "tactics:Persistence"
        ]
      },
      "uuid": "80308e39-11e9-45b2-b6d2-f13f3de509ab",
      "value": "O365 - Delegate Tenant Admin"
    },
    {
      "description": "End Point - Persistence throught Outlook Home Page: SensePost Ruler",
      "meta": {
        "kill_chain": [
          "tactics:Persistence"
        ]
      },
      "uuid": "708790c8-3e6f-4dd3-8f89-0651ef71dfe0",
      "value": "End Point - Persistence throught Outlook Home Page: SensePost Ruler"
    },
    {
      "description": "End Point - Persistence throught custom Outlook form",
      "meta": {
        "kill_chain": [
          "tactics:Persistence"
        ]
      },
      "uuid": "aadc2552-97db-419c-a414-5c1f862d38ef",
      "value": "End Point - Persistence throught custom Outlook form"
    },
    {
      "description": "End Point - Create Hidden Mailbox Rule",
      "meta": {
        "kill_chain": [
          "tactics:Persistence"
        ]
      },
      "uuid": "d023f254-466b-436b-acfd-beea54c323b1",
      "value": "End Point - Create Hidden Mailbox Rule"
    }
  ],
  "version": 1
}
chg: [o365-exchange-techniques] [WiP] based on John Lambert matrix techniques 2019-05-12 07:51:41 +00:00			`{`
			`"authors": [`
			`"John Lambert",`
			`"Alexandre Dulaunoy"`
			`],`
			`"category": "guidelines",`
			`"description": "o365-exchange-techniques - Office365/Exchange related techniques by @johnLaT",`
			`"name": "o365-exchange-techniques",`
			`"source": "Open Sources",`
			`"type": "cloud-security",`
			`"uuid": "44574c7e-b732-4466-a7be-ef363374013a",`
			`"values": [`
			`{`
			`"description": "AAD - Dump users and groups with Azure AD",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Recon"`
			`]`
			`},`
			`"uuid": "fab70361-329a-410a-9dc4-831ecd8df39f",`
			`"value": "AAD - Dump users and groups with Azure AD"`
			`},`
			`{`
			`"description": "O365 - Get Global Address List: MailSniper",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Recon"`
			`]`
			`},`
			`"uuid": "21833216-1b8a-43a9-b51e-500c67a900a8",`
			`"value": "O365 - Get Global Address List: MailSniper"`
			`},`
			`{`
			`"description": "O365 - Find Open Mailboxes: MailSniper",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Recon"`
			`]`
			`},`
			`"uuid": "9e3af2e1-90a6-4d69-ba82-cb0c99401713",`
			`"value": "O365 - Find Open Mailboxes: MailSniper"`
			`},`
			`{`
			`"description": "O365 - User account enumeration with ActiveSync",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Recon"`
			`]`
			`},`
			`"uuid": "53361eef-39b0-4c46-a009-0b4e3a0e286a",`
			`"value": "O365 - User account enumeration with ActiveSync"`
			`},`
			`{`
			`"description": "End Point - Search host for Azure Credentials: SharpCloud",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Recon"`
			`]`
			`},`
			`"uuid": "5c0c2b04-77e5-4f50-a0b8-206d7cc9946a",`
			`"value": "End Point - Search host for Azure Credentials: SharpCloud"`
			`},`
			`{`
			`"description": "On-Prem Exchange - Portal Recon",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Recon"`
			`]`
			`},`
			`"uuid": "2cd547bf-b093-4dab-b9e5-5172049cbc0d",`
			`"value": "On-Prem Exchange - Portal Recon"`
			`},`
			`{`
			`"description": "On-Prem Exchange - Enumerate domain accounts: using Skype4B",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Recon"`
			`]`
			`},`
			`"uuid": "651fdde4-09ed-48b7-9620-545d7dcec251",`
			`"value": "On-Prem Exchange - Enumerate domain accounts: using Skype4B"`
			`},`
			`{`
			`"description": "On-Prem Exchange - Enumerate domain accounts: OWA & Exchange",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Recon"`
			`]`
			`},`
			`"uuid": "008c46de-4667-4e40-9bea-74e91b6587fd",`
			`"value": "On-Prem Exchange - Enumerate domain accounts: OWA & Exchange"`
			`},`
			`{`
			`"description": "On-Prem Exchange - Enumerate domain accounts: FindPeople",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Recon"`
			`]`
			`},`
			`"uuid": "435e9319-88ed-4555-be84-a5322dc997a4",`
			`"value": "On-Prem Exchange - Enumerate domain accounts: FindPeople"`
			`},`
			`{`
			`"description": "On-Prem Exchange - OWA version discovery",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Recon"`
			`]`
			`},`
			`"uuid": "f227caf6-9399-4ac3-bab4-010f66853abb",`
			`"value": "On-Prem Exchange - OWA version discovery"`
chg: [o365-exchange-techniques] Compromise row added (WiP) 2019-05-12 10:07:30 +00:00			`},`
			`{`
			`"description": "AAD - Password Spray: MailSniper",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Compromise"`
			`]`
			`},`
			`"uuid": "933ec08d-a6d4-4ced-b732-4cb0331e7799",`
			`"value": "AAD - Password Spray: MailSniper"`
			`},`
			`{`
			`"description": "AAD - Password Spray: CredKing",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Compromise"`
			`]`
			`},`
			`"uuid": "5670ca90-38cd-4825-bd83-1bdb31fd5ea3",`
			`"value": "AAD - Password Spray: CredKing"`
			`},`
			`{`
			`"description": "O365 - Bruteforce of Autodiscover: SensePost Ruler",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Compromise"`
			`]`
			`},`
			`"uuid": "d66c1ead-4dd3-4968-b6fe-faf41b7fb88d",`
			`"value": "O365 - Bruteforce of Autodiscover: SensePost Ruler"`
			`},`
			`{`
			`"description": "O365 - Phishing for credentials",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Compromise"`
			`]`
			`},`
			`"uuid": "eda57f15-029c-4465-9401-f9dafc6d366c",`
			`"value": "O365 - Phishing for credentials"`
			`},`
			`{`
			`"description": "O365 - Phishing using OAuth app",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Compromise"`
			`]`
			`},`
			`"uuid": "61589df6-6848-4866-8613-8a4a7478abef",`
			`"value": "O365 - Phishing using OAuth app"`
			`},`
			`{`
			`"description": "O365 - 2FA MITM Phishing: evilginx2",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Compromise"`
			`]`
			`},`
			`"uuid": "fa1087c8-012d-4ef6-9eb3-5b5a6fb94c02",`
			`"value": "O365 - 2FA MITM Phishing: evilginx2"`
			`},`
			`{`
			`"description": "On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Compromise"`
			`]`
			`},`
			`"uuid": "8ffe80b9-0213-40c6-aeca-8877bdca8741",`
			`"value": "On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS"`
			`},`
			`{`
			`"description": "On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Compromise"`
			`]`
			`},`
			`"uuid": "cf8df948-0332-4ec7-94f3-3f6d54bbcbb9",`
			`"value": "On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler"`
chg: [o365-exchange-techniques] Persistence kill-chain added (WiP) 2019-05-12 15:54:53 +00:00			`},`
			`{`
			`"description": "O365 - Add Mail forwarding rule",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Persistence"`
			`]`
			`},`
			`"uuid": "80308e39-11e9-45b2-b6d2-f13f3de509ab",`
			`"value": "O365 - Add Mail forwarding rule"`
			`},`
			`{`
			`"description": "O365 - Add Global admin account",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Persistence"`
			`]`
			`},`
			`"uuid": "a9c1f718-b9bf-4efc-9fa1-852b6c93f725",`
			`"value": "O365 - Add Global admin account"`
			`},`
			`{`
			`"description": "O365 - Delegate Tenant Admin",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Persistence"`
			`]`
			`},`
			`"uuid": "80308e39-11e9-45b2-b6d2-f13f3de509ab",`
			`"value": "O365 - Delegate Tenant Admin"`
			`},`
			`{`
			`"description": "End Point - Persistence throught Outlook Home Page: SensePost Ruler",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Persistence"`
			`]`
			`},`
			`"uuid": "708790c8-3e6f-4dd3-8f89-0651ef71dfe0",`
			`"value": "End Point - Persistence throught Outlook Home Page: SensePost Ruler"`
			`},`
			`{`
			`"description": "End Point - Persistence throught custom Outlook form",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Persistence"`
			`]`
			`},`
			`"uuid": "aadc2552-97db-419c-a414-5c1f862d38ef",`
			`"value": "End Point - Persistence throught custom Outlook form"`
			`},`
			`{`
			`"description": "End Point - Create Hidden Mailbox Rule",`
			`"meta": {`
			`"kill_chain": [`
			`"tactics:Persistence"`
			`]`
			`},`
			`"uuid": "d023f254-466b-436b-acfd-beea54c323b1",`
			`"value": "End Point - Create Hidden Mailbox Rule"`
chg: [o365-exchange-techniques] [WiP] based on John Lambert matrix techniques 2019-05-12 07:51:41 +00:00			`}`
			`],`
			`"version": 1`
			`}`