From cc75f645b68b1cb70147f797cb129f34f62e1ee2 Mon Sep 17 00:00:00 2001
From: Justin Ibarra <brokensound77@users.noreply.github.com>
Date: Fri, 20 Aug 2021 00:19:11 -0800
Subject: [PATCH] [Rule Tuning] Add technique T1005 to 2 rules (#1405)

(cherry picked from commit 8099e1c733b32d52918f1dbada0f6ad603536e0f)
---
 .../collection_email_powershell_exchange_mailbox.toml        | 5 +++++
 ...stence_powershell_exch_mailbox_activesync_add_device.toml | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml
index 129e4d503..72e7ded9f 100644
--- a/rules/windows/collection_email_powershell_exchange_mailbox.toml
+++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml
@@ -39,6 +39,11 @@ id = "T1114"
 name = "Email Collection"
 reference = "https://attack.mitre.org/techniques/T1114/"
 
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1005/"
+id = "T1005"
+name = "Data from Local System"
+
 
 [rule.threat.tactic]
 id = "TA0009"
diff --git a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
index cbd8c7b36..ac9ab73c8 100644
--- a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
+++ b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
@@ -39,6 +39,11 @@ id = "T1114"
 name = "Email Collection"
 reference = "https://attack.mitre.org/techniques/T1114/"
 
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1005/"
+id = "T1005"
+name = "Data from Local System"
+
 
 [rule.threat.tactic]
 id = "TA0009"