diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml
index 129e4d503..72e7ded9f 100644
--- a/rules/windows/collection_email_powershell_exchange_mailbox.toml
+++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml
@@ -39,6 +39,11 @@ id = "T1114"
 name = "Email Collection"
 reference = "https://attack.mitre.org/techniques/T1114/"
 
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1005/"
+id = "T1005"
+name = "Data from Local System"
+
 
 [rule.threat.tactic]
 id = "TA0009"
diff --git a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
index cbd8c7b36..ac9ab73c8 100644
--- a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
+++ b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
@@ -39,6 +39,11 @@ id = "T1114"
 name = "Email Collection"
 reference = "https://attack.mitre.org/techniques/T1114/"
 
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1005/"
+id = "T1005"
+name = "Data from Local System"
+
 
 [rule.threat.tactic]
 id = "TA0009"